Records in the application user activity log

The header of each message contains the following information:

Format version.
Current version number: 0. Current field value: CEF:0.
Vendor.
Current field value: AO Kaspersky Lab.
Application name.
Current field value: Kaspersky Anti Targeted Attack Platform.
Application version
Current field value: 7.1.1.531.
Event type.
See the table below.
Event name.
See the table below.
Event importance.
Current field value: Low.

Example:

CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|7.1.1.531|tasks|Managing tasks|Low|

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

Event type	Event name and description	Key and description of its value
`alerts`	`User actions performed on alerts` Operations with alerts.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label` = <user that the alert is assigned to>. `externalId` = <alert ID>.
`ep`	`Managing hosts with the Endpoint Agent component` Operations with hosts on which the Endpoint Agent component is installed.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label` = <name of the host with the Endpoint Agent component>.
`storage`	`Managing objects in Storage and Quarantine` Operations with objects in Storage and Quarantine	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label` = <name of the file placed in Storage or Quarantine>.
`sensors`	`Managing the Sensor component` Connecting the Sensor component to the Central Node server, modifying component settings.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`sb`	`Configuring integration with the Sandbox component` Connecting the Sandbox component to the Central Node server.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`ex_integration`	`Configuring integration with external systems` Configuring integration with external systems.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`ksn_kpsn_mdr`	`Participation in KSN, KPSN and MDR` Configuring participation in Kaspersky Security Network, enabling or disabling the usage of Kaspersky Private Security Network, and configuring integration with Kaspersky Managed Detection and Response.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`yara`	`Managing YARA rules` Operations with YARA rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label` = <name of the uploaded file>.
`ioc`	`Managing indicator of compromise` Operations with IOC rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`ids`	`Managing IDS rules` Operations with IDS rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`taa`	`Managing TAA rules` Operations with TAA (IOA) rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`sb_rules`	`Managing Sandbox rules` Operations with Sandbox rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`prevention`	`Managing prevention rules` Operations with prevention rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`exclusions`	`Managing scan exclusions` Operations with scan exclusion rules.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`tasks`	`Managing tasks` Operations with tasks.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`network_isolation`	`Network isolation of Endpoint Agent hosts` Network isolation of Endpoint Agent hosts.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`settings`	`Settings` Modifying Central Node server settings	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`vip`	`Managing rules for assigning the VIP status` Operations with rules for assigning the VIP status to alerts.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`report`	`Managing reports` Operations with reports.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label =` <name of report or report template>.
`mt`	`Managing CN, PCN and SCN servers` Modifying the settings of Primary Central Node and Secondary Central Node servers in distributed solution and multitenancy mode. Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously. Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`user_account`	`Managing user accounts` Actions on user accounts.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label =` <name of the user whose account was created or edited>. `cn1` = <number of failed authorization attempts>.
`user_account`	`Count of unsuccessful authorization attempts exceeded` Failed authorization attempt limit exceeded.
`notifications`	`Sending notifications` Configuring email notifications.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`license`	`License` Managing the license key.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>.
`system_health`	`System health` Checking the health of application components.	`dvchost` = <host name of the Central Node>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `suser` = <user name>. `cs1` = <event type>. `cs1label =` <component object>. `msg` = <check result>.

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Page top