You can use common variables to substitute current values in Kaspersky Anti Targeted Attack Platform. You can use common variables in the following settings:
Start typing the name of the variable with the leading $ character and select the common variable from the displayed list.
Common variables can be used for interpolation in different settings, depending on the purpose of the variable (see the table below).
Variable
|
Description
|
Usage
|
$communications
|
Network interaction description strings (one string per network interaction), specifying the protocol and sender and recipient addresses of the network packet
|
- User-defined settings for registering events.
- Settings for forwarding events through a connector.
|
$dst_address
|
Network packet recipient address (depending on the information provided by the protocol, this can be an IP address, port number, MAC address and/or other address information)
|
- User-defined settings for registering events.
|
$extra.<paramName>
|
Extra variable added using the AddEventParam function for an external system or Lua script
|
- User-defined settings for registering events.
|
$monitoring_point
|
Name of the monitoring point whose traffic caused the event to be registered
|
- User-defined settings for registering events.
- Settings for forwarding events through a connector.
|
$occurred
|
Date and time of registration
|
- User-defined settings for registering events.
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$protocol
|
Name of the application layer protocol for which the event was logged
|
- User-defined settings for registering events.
|
$src_address
|
Network packet sender address (depending on the information provided by the protocol, this can be an IP address, port number, MAC address and/or other address information)
|
- User-defined settings for registering events.
|
$technology_rule
|
Name of the rule in the event.
|
- User-defined settings for registering events.
- Settings for forwarding events through a connector.
|
$top_level_protocol
|
Name of the top-level protocol.
|
- User-defined settings for registering events.
|
$type_id
|
Code of the event type, application message, or audit entry.
|
- User-defined settings for registering events (the
$event_type_id variable may also be used). - Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$closed
|
Date and time when a status of Resolved was assigned or the date and time of the event regeneration period (for events that are not aggregate events), or the date and time of registration of the last event included in the incident (for aggregate events).
|
- Settings for forwarding events through a connector.
|
$count
|
How many times a nested or aggregate event was triggered
|
- Settings for forwarding events through a connector.
|
$description
|
Description
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$id
|
Unique ID of the registered event, application message, or audit entry.
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$message_category
|
Category of transmitted data (event, application message, or audit record).
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$message_count
|
Number of transmitted events, application messages or audit records.
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$messages
|
Template that consists of a block containing a list of data.
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$msg_line_templ
|
Email notification string template
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$node
|
Node with the installed application component that sent the data.
|
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$result
|
Operation result in the audit entry.
|
- Settings for forwarding audit entries through a connector.
|
$score
|
Event score value.
|
- Settings for forwarding events through a connector.
|
$severity
|
Event severity level.
|
- Settings for forwarding events through a connector.
|
$status
|
Application message status
|
- Settings for forwarding application messages through a connector.
|
$system_process
|
Application process that caused the message to be registered
|
- Settings for forwarding application messages through a connector.
|
$technology
|
Technology associated with the event.
|
- Settings for forwarding events through a connector.
|
$title
|
Event title, message text, or registered action.
|
- Settings for forwarding events through a connector.
- Settings for forwarding application messages through a connector.
- Settings for forwarding audit entries through a connector.
|
$user
|
Name of the user that performed the registered action.
|
- Settings for forwarding audit entries through a connector.
|