Matching of CEF message fields

CEF messages are sent in the English language.

The table below lists the man components of the header and body of CEF messages sent by Kaspersky Container Security.

Components and values of CEF message components

Component	Value	Example
Standard header of the CEF message (syslog header)	The header is sent in the following format: `<date>` `<time>` <`host name of the server`>.	`Feb 18 10:07:28 host`
CEF format prefix and version	`<CEF>:<version>`	`CEF:0`
Event ID	Solution vendor (Device Vendor) Solution name (Device Product) Solution version (Device Version)	`Kaspersky` `Kaspersky Container Security` `2.0`
Unique event type ID (Signature ID)	Kaspersky Container Security sends the following event type IDs: `ADM-ХХХ`: Administration event. `CVE-XXX`: Risk acceptance with regard to a vulnerability or expiration of such risk acceptance. `MLW-XXX`: Risk acceptance with regard to a piece of malware or for expiration of such risk acceptance. `NCMP-001`: Non-compliance of an image with requirements. `CMP-001`: Compliance of an image with requirements. `SD-XXX`: Risk acceptance with regard to sensitive data or for expiration of such risk acceptance. `MS-XXX`: Risk acceptance with regard to misconfigurations or for expiration of such risk acceptance. `CI-ХХХ`: Event in the CI/CD process. `PLC-ХХХ`: Event when applying a secuity policy. `BNCH-ХХХ`: Event when scanning the cluster and nodes. `AG-ХХХ`: Event related to an agent. `SJ-ХХХ`: Event of the scanner. `RT-ХХХ`: Event of a best practice check. `API-ХХХ`: Request to API server. `PM-ХХХ`: Event when implementing processes. `FM-ХХХ`: Event involving access to objects in the container file system. `NT-ХХХ`: Network connection. `FPM-XXX` – an event of a runtime policy violation during a process `FNT-XXX` – an event of a runtime policy violation related to a network connection `FFM-XXX` – an event of a runtime policy violation related to an access to objects in the container file system `FFTP-XXX` – an event of a runtime policy violation related to File Threat Protection	Some of the event type IDs sent by the solution: `ADM-001: User 1 added user 2`. `CVE-001: User 1 accepted risk for image XXX` `AG-002: Agent XXX is disconnected` `BNCH-003: YYY was passed while scanning XXX` `PLC-001: YYY was applied to image XXX` `NCMP-001: Image XXX was marked as non-compliant` `SD-008: XXX risk acceptance expires`
Description of the event (Name)	The description must be user-readable and relevant to the event type ID. For example, 'Administration' for ADM or 'Process management' for PM.	Some of the event names sent by the solution: `Process management` `File management` `Networking`
Importance of the event (Severity)	The severity of the event on a scale from 0 to 10 is determined as follows: 0–3: Low 4–6: Medium 7–8: High 9–10: Very high The severity score of an event depends on the event type and status (Success or Failure).	For example, the severity score can be determined as follows: For PM (`Process management`) and NT (`Networking`) events: If event status is `Audited` or `Blocked`, the severity is 7. For any other status, the severity is 3. For AG (`Agents`) events: If the event is successful, the severity is 5. If an error occurred, the severity is 10. For API events: If the event is successful, the severity is 3. If an error occurred, the severity is 8.
Additional information about the event (Extension)	Additional information may include one or more sets of key-value pairs.	Information about the key-value pairs that Kaspersky Container Security transfers is provided below.

Additional information about an event which is transferred by Kaspersky Container Security

Key	Value	Usage
`source`	The domain (pod name) of the event source (Source name).	In all events
`src`	One of the following IP addresses in an IPv4 network (Source IP): for network traffic – the IP address of the connection source for administration events – the IP address of the action initiator	In all events
`reason`	Description of the Reason of the Error status.	In all events with the Error status, except `PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`fname`	Image or artifact name (Artifact name)	`CI-ХХХ`, `SJ-ХХХ`, `ADM-ХХХ`, `CVE-ХХХ`, `MLW-ХХХ`, `SD-ХХХ`, `MS-ХХХ`, `CMP-001`, `PLC-ХХХ`, `NCMP-001`
`suser`	The name of the user that initiated the action (Username)	In all events except `PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dpid`	Process identifier (PID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`spid`	Parent process identifier (PPID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`flexString1`	Effective Group Identifier (EGID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`flexString2`	Container ID	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`outcome`	Execution status or mode (Status) The value is defined as follows: For runtime events (`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`), the execution mode (Audit, Enforce, or Other) is specified. For other events, the execution status is specified (Success or Error). If the status is Error, the solution also transfers the error text or code (`reason`).	In all events
`request`	Image name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`fileHash`	Image digest	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`act`	One of the following operation types (Operation): for file operations – the type of operation (`open`, `close`, `read`, `write`, `create`, `delete`, `chmod`, `chown`, `rename`) for network traffic – direction and type of traffic (`egress`, `ingress`, `egress_response`, `ingress_response`) for processes – the `exec` value for File Threat Protection operations – the `ftp` value	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`spt`	Source port	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dst`	IP address of the destination in the IPv4 network (Destination IP)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dpt`	Destination port	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dproc`	Process name (command)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`duid`	Effective User Identifier (EUID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`filePermission`	File access permissions (`mode_t mode`)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`oldFilePath`	Previously used file path (Old File Path)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`filePath`	Path to the file (Path) For events involving access to objects in the file system of a container, `filePath` is used to pass information about the new path to the file (New File Path).	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`deviceDirection`	Connection type (Traffic type) 0 for ingress connections, 1 for egress connections.	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cn1`	New process identifier (New PID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs1`	Cluster name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs2`	Node name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs3`	Namespace name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs4`	Executed command (Command) For events involving access to objects in the file system of a container, `cs4` is used to pass information about the new owner of the file (NewOwner).	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs5`	Pod name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs6`	Container name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs7`	Node IP	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`

Page top