Common substitution variables in Kaspersky Anti Targeted Attack Platform

You can use common variables to substitute current values in Kaspersky Anti Targeted Attack Platform. You can use common variables in the following settings:

To insert a common variable into an input field:

Start typing the name of the variable with the leading $ character and select the common variable from the displayed list.

Common variables can be used for interpolation in different settings, depending on the purpose of the variable (see the table below).

Common variables for value substitution

Variable

Description

Usage

$communications

Network interaction description strings (one string per network interaction), specifying the protocol and sender and recipient addresses of the network packet
  • User-defined settings for registering events.
  • Settings for forwarding events through a connector.

$dst_address

Network packet recipient address (depending on the information provided by the protocol, this can be an IP address, port number, MAC address and/or other address information)
  • User-defined settings for registering events.

$extra.<paramName>

Extra variable added using the AddEventParam function for an external system or Lua script
  • User-defined settings for registering events.

$monitoring_point

Name of the monitoring point whose traffic caused the event to be registered
  • User-defined settings for registering events.
  • Settings for forwarding events through a connector.

$occurred

Date and time of registration
  • User-defined settings for registering events.
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$protocol

Name of the application layer protocol for which the event was logged
  • User-defined settings for registering events.

$src_address

Network packet sender address (depending on the information provided by the protocol, this can be an IP address, port number, MAC address and/or other address information)
  • User-defined settings for registering events.

$technology_rule

Name of the rule in the event.
  • User-defined settings for registering events.
  • Settings for forwarding events through a connector.

$top_level_protocol

Name of the top-level protocol.
  • User-defined settings for registering events.

$type_id

Code of the event type, application message, or audit entry.
  • User-defined settings for registering events (the $event_type_id variable may also be used).
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$closed

Date and time when a status of Resolved was assigned or the date and time of the event regeneration period (for events that are not aggregate events), or the date and time of registration of the last event included in the incident (for aggregate events).
  • Settings for forwarding events through a connector.

$count

How many times a nested or aggregate event was triggered
  • Settings for forwarding events through a connector.

$description

Description
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$id

Unique ID of the registered event, application message, or audit entry.
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$message_category

Category of transmitted data (event, application message, or audit record).
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$message_count

Number of transmitted events, application messages or audit records.
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$messages

Template that consists of a block containing a list of data.
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$msg_line_templ

Email notification string template
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$node

Node with the installed application component that sent the data.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$result

Operation result in the audit entry.
  • Settings for forwarding audit entries through a connector.

$score

Event score value.
  • Settings for forwarding events through a connector.

$severity

Event severity level.
  • Settings for forwarding events through a connector.

$status

Application message status
  • Settings for forwarding application messages through a connector.

$system_process

Application process that caused the message to be registered
  • Settings for forwarding application messages through a connector.

$technology

Technology associated with the event.
  • Settings for forwarding events through a connector.

$title

Event title, message text, or registered action.
  • Settings for forwarding events through a connector.
  • Settings for forwarding application messages through a connector.
  • Settings for forwarding audit entries through a connector.

$user

Name of the user that performed the registered action.
  • Settings for forwarding audit entries through a connector.

Page top