Format of messages forwarded to a SIEM system

The application transmits data to a SIEM system in CEF 20 format. The following internal structures are used for data transmission:

• EventMessage – for events.
• ApplicationMessage – for application messages.
• AuditMessage – for audit entries.

Received messages are not converted to the system log protocol format.

Format of the EventMessage structure

The table below provides data in the following columns:

• EventMessage — field name in a message.
• Event — corresponding field of the event in Kaspersky Industrial CyberSecurity for Networks or a specific value.
• Description — field description.

  EventMessage	Event	Description
  dateTime	Start	Date and time (with precision down to the millisecond) when the event-triggering network packet was captured.
  hostname	Kaspersky Industrial CyberSecurity for Networks Server address	Address of the Kaspersky Industrial CyberSecurity for Networks Server.
  cefVersion	0	CEF version number.
  deviceVendor	Kaspersky Lab	Vendor.
  deviceProduct	Kaspersky Industrial CyberSecurity for Networks	Product name.
  deviceVersion	Example: 4.3.0.195	Version of Kaspersky Industrial CyberSecurity for Networks.
  messageType	Event	Sent message type.
  signatureId	Event type	Event type ID.
  name	Title	Event description.
  severity	Event severity level: 9 – scores 8.0–10.0 6 – scores 4.0–7.9 3 – scores 0.0–3.9	Event severity level. Values from 3 to 9, where 9 is the most severe event.
  score	Event score	Event score value.
  extension	Indicated in the Extension Fields table	Determined individually for each type of message.

Date and time is sent in the following format: YYYY-MM-DDThh:mm:ss.msZ. Example: 2025-03-30T22:14:15.030Z – time of the event, which occurred on March 30, 2025 at 22 hours, 14 minutes, 15 seconds, and 030 milliseconds.

Contents of Extension Fields

The table below provides data in the following columns:

• Extension — field name in a message.
• Related events — events in which the specific field is sent.
• Description — field description.

  Extension	Related events	Description
  cnt	Common fields of events	Counter of the number of times an event is repeated after the event is registered.
  dmac	Common fields of events	Destination MAC address.
  dmacas	Common fields of events	Address space for the destination MAC address.
  dpt	Common fields of events	Destination port.
  dst	Common fields of events	Destination IP address.
  das	Common fields of events	Address space for the destination MAC address (if additional address spaces are added to the application).
  end	Common fields of events	Event end time.
  smac	Common fields of events	Source MAC address.
  smacas	Common fields of events	Address space for the source MAC address.
  spt	Common fields of events	Source port.
  src	Common fields of events	Source IP address.
  srcas	Common fields of events	Address space for the source MAC address (if additional address spaces are added to the application).
  start	Common fields of events	Event registration time.
  technology	Common fields of events	Technology that was used to register the event.
  triggeredRule	Common fields of events	Triggered rule.
  protocol	Common fields of events	Protocol.
  vlanId	Common fields of events	VLAN ID.
  monitoringPoint	Common fields of events	Monitoring point whose traffic invoked registration of the event.
  sourceIndustrialAddress	Common fields of events	Application-level address for the source.
  destinationIndustrialAddress	Common fields of events	Application-level address for the destination.
  eventIdentifier	Common fields of events	Event ID.
  noTrafficDuration	No traffic at monitoring point	Period of no traffic.
  tagId	Invalid tag type	Tag ID.
  expectedTagType	Invalid tag type	Expected data type of tag.
  actualTagType	Invalid tag type	Actual data type of tag.
  ruleName	Process Control rule violation Intrusion Detection rule from the system set of rules was triggered	Rule name.
  tags	Process Control rule violation	Tags.
  msg	Intrusion Detection rule from the system set of rules was triggered	Message.
  substitutedIpAddress	Signs of ARP spoofing detected in ARP replies Signs of ARP spoofing detected in ARP requests	IP address of the source of network packets.
  targetIpAddress	Signs of ARP spoofing detected in ARP replies Signs of ARP spoofing detected in ARP requests	IP address of the destination of network packets.
  attackStartTimestamp	Signs of ARP spoofing detected in ARP replies Signs of ARP spoofing detected in ARP requests	Start time of the activity showing signs of an attack.
  ownerMac	IP address conflict detected New IP address detected New device detected New information received Traffic detected from MAC address MAC address added to device IP address added to device	MAC address of owner.
  ownerIp	New device detected MAC address added to device IP address added to device IP address conflict detected New MAC address detected	IP address of owner.
  challengerMac	IP address conflict detected	MAC address of challenger.
  newIpAddress	New IP address detected	New IP address.
  newMacAddress	New MAC address detected	New MAC address.
  oldIpAddress	New IP address detected	Old IP address.
  assetName	New device detected	Device name.

Device settings

The table below provides data on the settings of devices.

If one or two devices were identified for a detected interaction, Kaspersky Industrial CyberSecurity for Networks also sends known information about one or two devices to the SIEM system.

If multiple devices were identified for a detected interaction, the message is duplicated with different address information and different device settings (if the devices are different).

Extension	Device setting
srcAssetName	Name of the source device.
srcVendor	Vendor of the source device.
srcOS	Operating system of the source device.
srcNetworkName	Network name of the source device.
srcModel	Model of the source device.
dstAssetName	Name of the destination device.
dstVendor	Vendor of the destination device.
dstOS	Operating system of the destination device.
dstNetworkName	Network name of the destination device.
dstModel	Model of the destination device.

Format of the ApplicationMessage structure

The table below provides data in the following columns:

• EventMessage — field name in a message.
• Application message – corresponding field of the application messages in Kaspersky Industrial CyberSecurity for Networks or a specific value.
• Description — field description.

  EventMessage	Application message	Description
  dateTime	Occurrence date and time	Date and time (to the millisecond) when the situation that caused the message logging was detected.
  hostname	Address of Kaspersky Industrial CyberSecurity for Networks Server or sensor	Node address of Kaspersky Industrial CyberSecurity for Networks Nodes Server or sensor.
  cefVersion	0	CEF version number.
  deviceVendor	Kaspersky Lab	Vendor.
  deviceProduct	Kaspersky Industrial CyberSecurity for Networks	Product name.
  deviceVersion	Example: 4.3.0.195	Version of Kaspersky Industrial CyberSecurity for Networks.
  messageType	Application message	Sent message type.
  severity	Application messages severity level: 10 for the following statuses: Moderate malfunction, Critical malfunction, or Fatal malfunction. 5 for the following statuses: Unknown, Malfunction. 0 for the Normal operation status.	Application messages severity level. Values from 0 to 10, where 10 is the most severe message.
  address	Node address	Address of the node from which the message originated.
  systemProcess	Process name	Application process that invoked message registration.
  msg	Message	Numerical identifier and text of the message.

Format of the AuditMessage structure

The table below provides data in the following columns:

• EventMessage — field name in a message.
• Audit message – corresponding field of the audit entry in Kaspersky Industrial CyberSecurity for Networks or a specific value.
• Description — field description.

  EventMessage	Audit message	Description
  dateTime	Occurrence date and time	Date and time (to the millisecond) when the situation that caused the audit entry logging was detected.
  hostname	Kaspersky Industrial CyberSecurity for Networks Server address	Node address of Kaspersky Industrial CyberSecurity for Networks Server.
  cefVersion	0	CEF version number.
  deviceVendor	Kaspersky Lab	Vendor.
  deviceProduct	Kaspersky Industrial CyberSecurity for Networks	Product name.
  deviceVersion	Example: 4.3.0.195	Version of Kaspersky Industrial CyberSecurity for Networks.
  messageType	Audit message	Sent message type.
  address	User node	Address of the node where the registered action was performed.
  user	User	Name of the user that performed the registered action.
  action	Action	Registered action performed by the user.
  result	Result	Result of the registered action (successful or unsuccessful).
  msg	Description	Additional information about the registered action.

Page top