Parameters c_er_par1..c_er_par9 for some general events. UID - unique identity to link the events on a threat detection and the processing result.
Threat processing result events
Events:
- GNRL_EV_OBJECT_CURED
- GNRL_EV_OBJECT_DELETED
- GNRL_EV_OBJECT_REPORTED
- GNRL_EV_PASSWD_ARCHIVE_FOUND
- GNRL_EV_OBJECT_QUARANTINED
- GNRL_EV_OBJECT_NOTCURED
- GNRL_EV_OBJECT_PASSED
- GNRL_EV_OBJECT_BLOCKED
Parameters:
- GNRL_EA_PARAM_2 - Object name, paramString
- GNRL_EA_PARAM_6 - UID, paramString
- GNRL_EA_PARAM_3,4 - reserved for future
- See also:
- Other parameters
Threat detection events
Events:
- GNRL_EV_VIRUS_FOUND
- GNRL_EV_VIRUS_FOUND_BY_KSN
Parameters:
- GNRL_EA_PARAM_1 - SHA256 hash presented as hex-string, paramString
- GNRL_EA_PARAM_2 - Object name, paramString
- GNRL_EA_PARAM_5 - Virus name, paramString
- GNRL_EA_PARAM_6 - UID, paramString
- GNRL_EA_PARAM_7 - User name, paramString
- GNRL_EA_PARAM_8 - type of malicious action in string representation, for example: L"61" to dtTROJAN, see EDetectionType, paramString
- GNRL_EA_PARAM_9 - additional attributes in JSON format, see Virus found event extra attributes, paramString
- GNRL_EA_PARAM_3,4 - reserved for future
- See also:
- Other parameters
Attack events
Event:
Parameters:
- GNRL_EA_PARAM_1 - Attack name
- GNRL_EA_PARAM_2 - Attacked protocol
- GNRL_EA_PARAM_3 - IPv4 address (an unsigned long integer) as a string, e.g.: L"2886729929"
- GNRL_EA_PARAM_4 - Attacked port
- GNRL_EA_PARAM_5 - IPv6 address (a hex 128-bit integer) as a string, e.g.: L"12B012B012B012B012B012B012B012B0"
- GNRL_EA_PARAM_6 - IPv4 (an unsigned long integer) or IPv6 (a hex 128-bit integer) address of attacked interface (see GNRL_EA_PARAM_3 and GNRL_EA_PARAM_5 for sample)
Event:
- GNRL_EV_PLC_ATTACK_DETECTED
Parameters:
- GNRL_EA_PARAM_1 - Binary id of the attacked PLC Device as hex-string, see KLPLC::c_szwPLC_BinId, paramString (32)
- GNRL_EA_PARAM_2 - Attacked type in string representation, for example: L"1" to PLC_AT_FIRMWARE_CHANGED, see EPLCAttackType, paramString
- GNRL_EA_PARAM_3 - IPv4 (an unsigned long integer) as a string or IPv6 (a hex 128-bit integer) as a string. Address of attacking host. ( optional ) Examples:
- L"2886729929". it is IPv4
- L"12B012B012B012B012B012B012B012B0". it is IPv6
- GNRL_EA_PARAM_4 - Mac address of attacking host. ( optional ) Examples: ae80::2936:8a14:7ffb:51r8%11
- GNRL_EA_PARAM_5 - Name of attacking host. ( optional )
- See also:
- Other parameters
Other parameters
Becides the described parameters c_er_par1..c_er_par9, all the events (not just GNRL_EV_*) must contain the following parameters:
- KLEVP::c_er_severity (paramInt) - event severity, one of KLEVP_EVENT_SEVERITY_*: KLEVP_EVENT_SEVERITY_INFO, KLEVP_EVENT_SEVERITY_WARNING, KLEVP_EVENT_SEVERITY_ERROR, KLEVP_EVENT_SEVERITY_CRITICAL.
- KLEVP::c_er_task_display_name (paramString) - Displayed name of a task published the event.
- KLEVP::c_er_descr (paramString) - event description localized by Product (up to 1000 unicode symbols).
- KLEVP::c_er_event_type_display_name (paramString) Event type name localized by product.
- KLEVP::c_er_event_vm_info (paramParams) (Optional) Information about virtual machine KLEVP::c_er_event_vm_id (paramString (32)), KLEVP::c_er_event_vm_full_name (paramString (256)), KLEVP::c_er_event_vm_cluster_id (paramString (127)), KLEVP::c_er_event_vm_ipv4 (paramInt)