cs4

cs4Label

Event priority (corresponds to the severity of the triggered IDPS rule).

Possible values in signatures:

• Low
• Medium
• High

This value is displayed by default.

devicePayloadId

Session ID.

For events of Network scanning protection rules, the field is empty.

deviceDirection

Connection direction from the raw event. Possible values:

• 0 – request
• 1 – response

cs3

cs3Label

Sources of the detection.

Always Local.

rt

Date and time when the event was generated on the Kaspersky NGFW device (the session was removed and ended up in the Kaspersky NGFW Session manager).

Format: 2023-12-26T12:31:54Z.

dtz

Time zone on the device

dvchost

Host name of the Kaspersky NGFW device.

This value is displayed by default.

src

Source IP address.

This value is displayed by default.

dst

Destination IP address.

This value is displayed by default.

proto

L3–L4 protocol from the Transport Layer field of the IDPS alert.

This value is displayed by default.

spt

Source port.

dpt

Destination port.

app

L7 protocol from the Application Layer field of the IDPS alert.

This value is displayed by default.

cn1

Rule ID.

This value is displayed by default.

cat

Vulnerability type of the rule.

Examples:

HackTool.BindTaskSchedulerService.ATSVC.C&C

Exploit.CVE-2018-1111.DHCP.C&C

This value is displayed by default.

cs2

cs2Label

Pairs of MITRE tactics and techniques of the rule

Can be an array of values.

This value is displayed by default.

act

Action applied to the detected object.

This value is displayed by default.

KasperskyNGFWIDPSProfile

Triggered IDPS security profile.

Empty for Network scanning protection rules.

This value is displayed by default.