KSC Open API
Kaspersky Security Center API description
Parameters GNRL_EA_PARAM_* for some events

List of general event attributes (GNRL_EA_PARAM_1 - GNRL_EA_PARAM_9) is presented below.

Event type123456789
GNRL_EV_OBJECT_CURED Object name (paramString).
GNRL_EV_OBJECT_DELETED Object name (paramString).
GNRL_EV_OBJECT_REPORTED Object name (paramString).
GNRL_EV_PASSWD_ARCHIVE_FOUND Object name (paramString).
GNRL_EV_OBJECT_QUARANTINED Object name (paramString).
GNRL_EV_SUSPICIOUS_OBJECT_FOUND Object name (paramString). Virus name (paramString).
GNRL_EV_VIRUS_FOUND Object name (paramString). Virus name (paramString). User name (paramString). Threat type. See Threat types enum (paramInt).

GNRL_EV_ATTACK_DETECTED Attack name (paramString). Protocol name (paramString). IP address in host byte order as a string, for example, "2886729929" for "172.16.0.201" (paramString). Port (paramInt).

GNRL_EV_APPLICATION_LAUNCH_DENIED. Identity of file (paramString). User name (paramString). Identity of custom category that has denied launch (paramString). Identity of KL category that has denied launch. Optional (paramString).

Additional attributes in JSON format. Optional (paramString). Possible attributes:

  • CertSerial
  • CertThumbprint
  • CertIssuer
  • CertSubject
  • ParentProcess Example: {"CertSerial":"c29tZXRleHQ=","CertThumbprint":"ytRNM1243jkl;aFH","CertIssuer":"test.avp.ru","CertSubject":"test.avp.ru","ParentProcess":"notepad.exe"}

File name, up to 256 UNICODE characters (paramString). File path, up to 256 UNICODE characters (paramString). String representations in hex-format of MD5 and/or SHA256 hashes of the identity file separated by the delimiter ";" (paramString). File version, up to 50 UNICODE characters (paramString).
GNRL_EV_APP_LAUNCH_TESTED_ALLOW. Identity of file (paramString). User name (paramString). Identity of custom category that has denied launch (paramString). String representation of the user SID in the format WIN-SID-<SID_as_uppercase_hex>. User type, string representation of User type enum (paramString).
GNRL_EV_APP_LAUNCH_TESTED_DENIED. Identity of file (paramString). User name (paramString). Identity of custom category that has denied launch (paramString). String representation of the user SID in the format WIN-SID-<SID_as_uppercase_hex>. User type, string representation of User type enum (paramString).
GNRL_EV_ADSEC_DETECT. Localized name of rule (up to 90 characters) (paramString). ID of rule (up to 64 characters) (paramString). Name of user (up to 256 characters) (paramString). Path name of source process (up to 260 characters) (paramString). Path name of source object (up to 260 characters) (paramString). Path name of target process (up to 260 characters) (paramString). Path name of target object (up to 260 characters) (paramString). Additional attributes in JSON format, see Extra attributes of Adaptive Anomalies Control events (paramString). Additional attributes in JSON format (to provide additional product information, not mentioned in Extra attributes of Adaptive Anomalies Control events) (paramString).
GNRL_EV_ADSEC_USER_REQUEST. Localized name of rule (up to 90 characters) (paramString). ID of rule (up to 64 characters) (paramString). Name of user (up to 256 characters) (paramString). Path name of source process (up to 260 characters) (paramString). Path name of source object (up to 260 characters) (paramString). Path name of target process (up to 260 characters) (paramString). Path name of target object (up to 260 characters) (paramString). Additional attributes in JSON format, see Extra attributes of Adaptive Anomalies Control events (paramString). Additional attributes in JSON format (to provide additional product information, not mentioned in Extra attributes of Adaptive Anomalies Control events) (paramString).
See also: