cs4

cs4Label

Event priority.

Always High.

This value is displayed by default.

devicePayloadId

Session ID.

deviceDirection

Connection direction from the raw event. Possible values:

• 0 – request
• 1 – response

This value is displayed by default.

cs1

cs1Label

Detected object.

Possible values:

• Malware
• Phishing
• Malware, Phishing

This value is displayed by default.

act

Action performed when the domain was visited.

This value is displayed by default.

cs3

cs3Label

Sources of the detection.

Possible value: Local.

rt

Date and time when the event was generated on the Kaspersky NGFW device (when the session was removed and ended up in the Kaspersky NGFW Session manager).

Format: 2023-12-26T12:31:54Z.

dtz

Time zone on the device

dvchost

Host name of the Kaspersky NGFW device.

This value is displayed by default.

dhost

List of domain names or IP addresses on which DNS Security was triggered.

The values are separated by commas. Example: zeus.ru, ya.ru

This value is displayed by default.

src

Source IP address.

This value is displayed by default.

dst

Destination IP address.

This value is displayed by default.

proto

L3–L4 protocol.

Possible values:

• UDP
• TCP

This value is displayed by default.

spt

For TCP and UDP, the source port.

For ICMP, the ICMP ID.

For other protocols, this field is left empty.

dpt

For TCP and UDP, the destination port.

For ICMP, the ICMP ID.

For other protocols, this field is left empty.

app

L7 protocol from the Application Control detection.

The only possible value is DNS

KasperskyNgfwDnsProfile

Triggered DNS Security profile.

This value is displayed by default.

externalId

Session ID.