Content and properties of CEF messages about user activity in the web interface
August 12, 2024
ID 247576
The header of each message contains the following information:
- Format version.
Current version number:
0
. Current field value:CEF:0
. - Vendor.
Current field value:
AO Kaspersky Lab
. - Application name.
Current field value:
Kaspersky Anti Targeted Attack Platform
. - Application version
Current field value: 6.0.0-200.
- Event type.
See the table below.
- Event name.
See the table below.
- Event importance.
Current field value:
Low
.Example:
CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|6.0.0-200|tasks|Managing tasks|Low|
All fields of the CEF message have the "<key>=<value>"
format. The keys, as well as their values contained in a message, are presented in the table below.
Event information in CEF messages
Event type | Event name and description | Key and description of its value |
---|---|---|
|
Connecting the Sensor component to the Central Node server, modifying component settings. |
|
|
Connecting the Sandbox component to the Central Node server. |
|
|
Configuring integration with external systems. |
|
|
Configuring participation in Kaspersky Security Network, enabling or disabling the usage of Kaspersky Private Security Network, and configuring integration with Kaspersky Managed Detection and Response. |
|
|
Operations with YARA rules. |
|
|
Operations with IOC rules. |
|
|
Operations with IDS rules. |
|
|
Operations with TAA (IOA) rules. |
|
|
Operations with Sandbox rules. |
|
|
Operations with prevention rules. |
|
|
Operations with scan exclusion rules. |
|
endpoint_agents | Managing Endpoint Agent hosts Operations with hosts on which the Endpoint Agent component is installed. |
|
|
Operations with tasks. |
|
|
Network isolation of Endpoint Agent hosts. |
|
|
Modifying Central Node server settings. |
|
|
The set of virtual machine operating systems is changed to <version of the operating system set>. |
|
|
Modifying the settings of Primary Central Node and Secondary Central Node servers in distributed solution and multitenancy mode. |
|
|
Actions on user accounts. |
|
|
Configuring email notifications. |
|
|
Managing the license key. |
|
If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.