About exported events

This section lists parameters of events that Kaspersky Security Integration with SIEM exports from Kaspersky Security for Microsoft Office 365 to Splunk Enterprise.

• PRI—A value is calculated from the system that generates the event (email system) and the event severity.
• VERSION—Version number of the syslog protocol standard. Currently, this parameter is always set to "1".
• TIMESTAMP—Date and time when the event is exported to Splunk Enterprise.
• HOSTNAME—Name of the Kaspersky Security for Microsoft Office 365 server that sends the event.
• APP-NAME—Name of the device or application that generates the event. The value is always "KS365".
• PROCID—The process name or process identifier of the application that sends the event. The value is always "-".
• MSGID—event identifier. For more details, see later in this section.
• STRUCTURED-DATA—Structured data that contains the Kaspersky identifier ("event@23668"), event identifier, and the event title, as sent from Kaspersky Security for Microsoft Office 365.
• MSG—The event title and description, as sent from Kaspersky Security for Microsoft Office 365.

Kaspersky Security for Microsoft Office 365 can export events with the following identifiers.

• ExchangeOnlineConnection—A problem with connecting to Exchange Online occurs. For example:
  • Invalid or absent credentials have been specified.
  • The specified user account has insufficient privileges to connect to Exchange Online.
  • There are no mailboxes to protect.
• License—A problem with a license occurs. For example:
  • A license limit has been exceeded.
  • A license is about to expire or has expired.
• VirusDetected—Viruses, Trojans, worms, and other security threats are detected in email messages.
• PhishingDetected—Phishing and malicious links are detected in email messages.
• AttachmentFiltering—Email messages with attached files that match the specified filtering criteria are detected.

Page top