This article provides a description of system event types associated with Asset Management technology (see the table below).
System event types based on Asset Management technology (AM)
Code |
Title of event type |
Registration conditions |
---|---|---|
4000005003 |
Detected new device with the address $owner_ip_or_mac |
Asset Management monitoring mode resulted in the automatic addition of a new device based on a detected IP address or MAC address that has not been specified for other devices in the table. When registering the event, the application may simultaneously register the risk named Unauthorized device for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005004 |
Received new information about device with the address $owner_ip_or_mac |
Asset Management monitoring mode resulted in the automatic update of device information based on data obtained from traffic. The following variables are used in the title and description of an event type:
|
4000005005 |
IP address $owner_ip conflict detected |
In Asset Management monitoring mode, the application detected the use of an IP address by a different device than the device for which this IP address was specified. The following variables are used in the title and description of an event type:
|
4000005006 |
Detected traffic from address $owner_ip_or_mac, which is assigned to a device with the Archived status |
In Asset Management monitoring mode or based on data received from an EPP application, activity was detected from a device that was assigned a status of Archived. When registering the event, the application may simultaneously register the risk named Unauthorized device for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005007 |
A new IP address $new_ip_addr was detected for the device with MAC address $owner_mac |
In Asset Management monitoring mode, a new IP address used by a device was detected. The following variables are used in the title and description of an event type:
|
4000005008 |
MAC address $owner_mac was added to the device with IP address $owner_ip |
Asset Management monitoring mode resulted in the automatic addition of a MAC address for a network interface for which only an IP address was specified (the device had a status of Unauthorized or Archived). The following variables are used in the title and description of an event type:
|
4000005009 |
IP address $owner_ip was added to the device with MAC address $owner_mac |
Asset Management monitoring mode resulted in the automatic addition of an IP address for a network interface for which only a MAC address was specified (the device had a status of Unauthorized or Archived). The following variables are used in the title and description of an event type:
|
4000005010 |
Detected new MAC address $new_mac_addr for device with the IP address $owner_ip |
Asset Management monitoring mode resulted in the detection of a new MAC address used by a device (auto update of address information is disabled for the device). The following variables are used in the title and description of an event type:
|
4000005011 |
Change of MAC address $owner_mac to $challenger_mac detected in device information received from EPP application |
The MAC address of a device was updated according to data received from an EPP application. The following variables are used in the title and description of an event type:
|
4000005012 |
New address information for device $asset_name found in data received from EPP program |
New address information of a device was detected in data received from an EPP application. This type of event is registered if a change in device address information was not processed by the application as an event with code 4000005009 or 4000005010. The following variables are used in the title and description of an event type:
|
4000005013 |
Conflict detected in addresses of devices $conflicted_epp_assets after data received from EPP program |
Based on data received from an EPP application, a conflict was detected in the addresses of multiple devices in Kaspersky Industrial CyberSecurity for Networks. According to data from the EPP application, the addresses belong to the same device. The following variables are used in the title and description of an event type:
|
4000005014 |
Subnet $subnet_mask added based on data from EPP application |
After data was received from an EPP application, a new subnet was automatically added to the list of known subnets. The subnet is added to an address space in which the data source may be the integration server that received data from an EPP application. If there are several of these address spaces available, the application chooses the address space that contains the most suitable subnet for automatically adding a new nested subnet. The following variables are used in the title and description of an event type:
|
4000005015 |
Equipment change is detected for the device with the following address: $owner_ip_or_mac |
Based on the data received from the EPP application, the device equipment information was updated using the equipment monitoring functionality. The following variables are used in the title and description of an event type:
|
4000005200 |
PLC Project Control: detected read of unknown block from PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected read of an unknown block of a project from a PLC (if there is no saved information about this block). When registering the event, the application may simultaneously register the risk named Reading unknown block of project from PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005201 |
PLC Project Control: detected read of known block from PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected read of a known block of a project from a PLC (if there is saved information about this block but the received information does not match the latest saved information about this block). When registering the event, the application may simultaneously register the risk named Reading known block of project from PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005202 |
PLC Project Control: detected write of new block to PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected write of an unknown block of a project from a PLC (if there is no saved information about this block). When registering the event, the application may simultaneously register the risk named Writing new block of project to PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005203 |
PLC Project Control: detected write of known block to PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected write of a known block of a project from a PLC (if there is saved information about this block but the received information does not match the latest saved information about this block). When registering the event, the application may simultaneously register the risk named Writing known block of project to PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005204 |
PLC Project Control: detected read of unknown project from PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected read of an unknown project from a PLC (if there is no saved information about this project). When registering the event, the application may simultaneously register the risk named Reading unknown project from PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005205 |
PLC Project Control: detected read of known project from PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected read of a known project from a PLC (if there is saved information about this project but the received information does not match the latest saved information about this project). When registering the event, the application may simultaneously register the risk named Reading known project from PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005206 |
PLC Project Control: detected write of new project to PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected write of a new project to a PLC (if there is no saved information about this project). When registering the event, the application may simultaneously register the risk named Writing new project to PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005207 |
PLC Project Control: detected write of known project to PLC $asset_name |
PLC Project Control read/write monitoring resulted in a detected write of a known project to a PLC (if there is saved information about this project but the received information does not match the latest saved information about this project). When registering the event, the application may simultaneously register the risk named Writing known project to PLC for this device. In this case, the risk is associated with the event. The following variables are used in the title and description of an event type:
|
4000005600 |
Changes detected in the list of users on the device with the address $owner_ip_or_mac |
Changes to user information were detected while controlling users on devices. The following variables are used in the title and description of an event type:
|
4000005601 |
Changes detected in the list of applications on the device with the address $owner_ip_or_mac |
Changes to information about applications on the device were detected while monitoring applications and patches on devices. The following variables are used in the title and description of an event type:
|
4000005602 |
Changes detected in the list of patches on the device with the address $owner_ip_or_mac |
Changes in device patch information were detected while monitoring applications and patches on devices. The following variables are used in the title and description of an event type:
|
4000005603 |
Changes detected in the configuration component $inventory_loc_key on the device |
While monitoring device configurations, changes in the configuration component were detected when comparing to the previous configuration according to device scan results (for jobs that run in the Update only and/or Archive versions configuration processing modes). The following variables are used in the title and description of an event type:
|
4000005604 |
Discrepancies detected compared with the reference configuration component $inventory_loc_key on the device |
When monitoring device configurations, discrepancies were found compared to the reference configuration component according to device scan results (for jobs that run in the Compare with benchmark configuration processing mode). The following variables are used in the title and description of an event type:
|
4000005700 |
Public key mismatch detected while connecting to the device remotely |
When connecting to the device remotely, a mismatch was detected between the received device public key and the value stored in the application. Device scan canceled. The following variables are used in an event type description:
|
4000005701 |
Public key mismatch detected during device active polling |
While actively polling a device, a mismatch was detected between the received device public key and the value stored in the application. Active polling canceled for the device. The following variables are used in an event type description:
|
4000000004 |
Test event (AM) |
A test network packet was detected (with the device activity detection method enabled). |