Event field name

Field value

DeviceAction

KEDR response

DeviceFacility

manual response or automatic response

EventOutcome

succeeded or failed

Message

Description of the error, if an error occurred, otherwise the field is empty.

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

Login of the user who sent the request.

SourceUserID

ID of the user who sent the request.

SourceAssetID

KUMA asset ID which causes the response. The value is not specified if the response is based on a hash or for all assets.

DeviceExternalID

The external ID assigned to KUMA in KEDR. If there is only one external ID, it is not filled in when started on user hosts.

DeviceCustomString1

List of IP/FQDN addresses of the asset for the host prevention rule based on the selected hash from the event card.

DeviceCustomString1Label

user defined list of ips or hostnames

DeviceCustomString2

Sensor ID parameter in KEDR (UUIDv4 | 'all' | 'custom').

DeviceCustomString2Label

sensor id of asset in KATA/EDR

ServiceID

ID of the service that caused the response. Filled in only in case of automatic response.

DeviceCustomString3

Task type name: enable_network_isolation, disable_network_isolation, enable_prevention, disable_prevention, run_process.

DeviceCustomString3Label

kedr response kind

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name