System event types based on Asset Management technology

This article provides a description of system event types associated with Asset Management technology (see the table below).

System event types based on Asset Management technology (AM)

Code

Title of event type

Registration conditions

4000005003

Detected new device with the address $owner_ip_or_mac

Asset Management monitoring mode resulted in the automatic addition of a new device based on a detected IP address or MAC address that has not been specified for other devices in the table.

When registering the event, the application may simultaneously register the risk named Unauthorized device for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the assigned name of the device
  • $assigned_mac: the assigned MAC address (if defined)
  • $owner_ip: the assigned IP address (if defined)
  • $asset_id: the ID of the device

4000005004

Received new information about device with the address $owner_ip_or_mac

Asset Management monitoring mode resulted in the automatic update of device information based on data obtained from traffic.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the name of the device
  • $updated_params: a list of updated information
  • $asset_id: the ID of the device

4000005005

IP address $owner_ip conflict detected

In Asset Management monitoring mode, the application detected the use of an IP address by a different device than the device for which this IP address was specified.

The following variables are used in the title and description of an event type:

  • $owner_ip: the IP address
  • $challenger_asset_name: the name of the device that used the IP address
  • $challenger_mac: the MAC address of the device that used the IP address
  • $asset_name: the name of the device in whose settings the IP address was specified
  • $owner_mac: the MAC address of the device in whose settings the IP address was specified
  • $challenger_ips_lis: a list of other IP addresses of the device that used the IP address
  • $asset_id: the ID of the device in whose settings the IP address was specified
  • $challenger_id: the ID of the device that used the IP address

4000005006

Detected traffic from address $owner_ip_or_mac, which is assigned to a device with the Archived status

In Asset Management monitoring mode or based on data received from an EPP application, activity was detected from a device that was assigned a status of Archived.

When registering the event, the application may simultaneously register the risk named Unauthorized device for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the name of the device
  • $last_seen_timestamp: the date and time when the device was last seen in the network
  • $asset_id: the ID of the device

4000005007

A new IP address $new_ip_addr was detected for the device with MAC address $owner_mac

In Asset Management monitoring mode, a new IP address used by a device was detected.

The following variables are used in the title and description of an event type:

  • $new_ip_addr: the detected IP address
  • $owner_mac: the MAC address of the device
  • $asset_name: the name of the device
  • $owner_ips_list: a list of other IP addresses of the device
  • $asset_id: the ID of the device

4000005008

MAC address $owner_mac was added to the device with IP address $owner_ip

Asset Management monitoring mode resulted in the automatic addition of a MAC address for a network interface for which only an IP address was specified (the device had a status of Unauthorized or Archived).

The following variables are used in the title and description of an event type:

  • $owner_mac: the detected MAC address of the device
  • $owner_ip: the IP address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device

4000005009

IP address $owner_ip was added to the device with MAC address $owner_mac

Asset Management monitoring mode resulted in the automatic addition of an IP address for a network interface for which only a MAC address was specified (the device had a status of Unauthorized or Archived).

The following variables are used in the title and description of an event type:

  • $owner_ip: the detected IP address of the device
  • $owner_mac: the MAC address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device

4000005010

Detected new MAC address $new_mac_addr for device with the IP address $owner_ip

Asset Management monitoring mode resulted in the detection of a new MAC address used by a device (auto update of address information is disabled for the device).

The following variables are used in the title and description of an event type:

  • $new_mac_addr: the detected MAC address
  • $owner_ip: the IP address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device

4000005011

Change of MAC address $owner_mac to $challenger_mac detected in device information received from EPP application

The MAC address of a device was updated according to data received from an EPP application.

The following variables are used in the title and description of an event type:

  • $owner_mac: an old MAC address of the device
  • $challenger_mac: a new MAC address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device

4000005012

New address information for device $asset_name found in data received from EPP program

New address information of a device was detected in data received from an EPP application. This type of event is registered if a change in device address information was not processed by the application as an event with code 4000005009 or 4000005010.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $detected_epp_addresses: address information
  • $asset_id: the ID of the device

4000005013

Conflict detected in addresses of devices $conflicted_epp_assets after data received from EPP program

Based on data received from an EPP application, a conflict was detected in the addresses of multiple devices in Kaspersky Industrial CyberSecurity for Networks. According to data from the EPP application, the addresses belong to the same device.

The following variables are used in the title and description of an event type:

  • $conflicted_epp_assets: devices with conflicting addresses detected
  • $unaccepted_epp_addresses: addresses that belong to the same device

4000005014

Subnet $subnet_mask added based on data from EPP application

After data was received from an EPP application, a new subnet was automatically added to the list of known subnets. The subnet is added to an address space in which the data source may be the integration server that received data from an EPP application. If there are several of these address spaces available, the application chooses the address space that contains the most suitable subnet for automatically adding a new nested subnet.

The following variables are used in the title and description of an event type:

  • $subnet_mask: a subnet address
  • $subnet_type: a subnet type

4000005015

Equipment change is detected for the device with the following address: $owner_ip_or_mac

Based on the data received from the EPP application, the device equipment information was updated using the equipment monitoring functionality.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device
  • $added_asset_hardware: a list of added equipment
  • $modified_asset_hardware: a list of modified equipment
  • $removed_asset_hardware: a list of removed equipment

4000005200

PLC Project Control: detected read of unknown block from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of an unknown block of a project from a PLC (if there is no saved information about this block).

When registering the event, the application may simultaneously register the risk named Reading unknown block of project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $block_name: the name of the block
  • $saved_date_time: the date and time when the operation was detected

4000005201

PLC Project Control: detected read of known block from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of a known block of a project from a PLC (if there is saved information about this block but the received information does not match the latest saved information about this block).

When registering the event, the application may simultaneously register the risk named Reading known block of project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $block_name: the name of the block
  • $saved_date_time: the date and time when the block was saved in the application

4000005202

PLC Project Control: detected write of new block to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of an unknown block of a project from a PLC (if there is no saved information about this block).

When registering the event, the application may simultaneously register the risk named Writing new block of project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $block_name: the name of the block
  • $saved_date_time: the date and time when the operation was detected

4000005203

PLC Project Control: detected write of known block to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of a known block of a project from a PLC (if there is saved information about this block but the received information does not match the latest saved information about this block).

When registering the event, the application may simultaneously register the risk named Writing known block of project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $block_name: the name of the block
  • $saved_date_time: the date and time when the block was saved in the application

4000005204

PLC Project Control: detected read of unknown project from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of an unknown project from a PLC (if there is no saved information about this project).

When registering the event, the application may simultaneously register the risk named Reading unknown project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $saved_date_time: the date and time when the operation was detected

4000005205

PLC Project Control: detected read of known project from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of a known project from a PLC (if there is saved information about this project but the received information does not match the latest saved information about this project).

When registering the event, the application may simultaneously register the risk named Reading known project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $saved_date_time: the date and time when the project was saved in the application

4000005206

PLC Project Control: detected write of new project to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of a new project to a PLC (if there is no saved information about this project).

When registering the event, the application may simultaneously register the risk named Writing new project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $saved_date_time: the date and time when the operation was detected

4000005207

PLC Project Control: detected write of known project to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of a known project to a PLC (if there is saved information about this project but the received information does not match the latest saved information about this project).

When registering the event, the application may simultaneously register the risk named Writing known project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name: the name of the device
  • $saved_date_time: the date and time when the project was saved in the application

4000005600

Changes detected in the list of users on the device with the address $owner_ip_or_mac

Changes to user information were detected while controlling users on devices.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device
  • $added_asset_users: a list of added users
  • $modified_asset_users: a list of modified users
  • $removed_asset_users: a list of removed users

4000005601

Changes detected in the list of applications on the device with the address $owner_ip_or_mac

Changes to information about applications on the device were detected while monitoring applications and patches on devices.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device
  • $added_asset_apps: a list of added applications
  • $removed_asset_apps: a list of removed applications

4000005602

Changes detected in the list of patches on the device with the address $owner_ip_or_mac

Changes in device patch information were detected while monitoring applications and patches on devices.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac: the IP or MAC address of the device
  • $asset_name: the name of the device
  • $asset_id: the ID of the device
  • $added_asset_patches: a list of added patches
  • $removed_asset_patches: a list of removed patches

4000005603

Changes detected in the configuration component $inventory_loc_key on the device

While monitoring device configurations, changes in the configuration component were detected when comparing to the previous configuration according to device scan results (for jobs that run in the Update only and/or Archive versions configuration processing modes).

The following variables are used in the title and description of an event type:

  • $inventory_loc_key: the name of the configuration component
  • $device_config_inventory_changed_format: the changes detected in the configuration component

4000005604

Discrepancies detected compared with the reference configuration component $inventory_loc_key on the device

When monitoring device configurations, discrepancies were found compared to the reference configuration component according to device scan results (for jobs that run in the Compare with benchmark configuration processing mode).

The following variables are used in the title and description of an event type:

  • $inventory_loc_key: the name of the configuration component
  • $device_config_diverged_format: detected discrepancies compared to the reference configuration component

4000005700

Public key mismatch detected while connecting to the device remotely

When connecting to the device remotely, a mismatch was detected between the received device public key and the value stored in the application. Device scan canceled.

The following variables are used in an event type description:

  • $asset_name: the name of the device
  • $new_asset_sshpublickey: received public key
  • $old_asset_sshpublickey: stored public key

4000005701

Public key mismatch detected during device active polling

While actively polling a device, a mismatch was detected between the received device public key and the value stored in the application. Active polling canceled for the device.

The following variables are used in an event type description:

  • $asset_name: the name of the device
  • $new_asset_sshpublickey: received public key
  • $old_asset_sshpublickey: stored public key

4000000004

Test event (AM)

A test network packet was detected (with the device activity detection method enabled).

Page top