KUMA audit events

Audit events are created when certain security-related actions are completed in KUMA. These events are used to ensure system integrity.

To view audit events, go to the Events section in KUMA and add "SELECT * FROM 'events' WHERE Type=4" to the query.

As a result of executing the query, audit events are displayed in the Events section if the user role allows viewing audit events.

Event fields with general information

Every audit event has the event fields described below.

Event field name	Field value
Timestamp	Event time.
DeviceHostName	The event source host. For audit events, it is the hostname where kuma-core is installed, because it is the source of events.
DeviceTimeZone	Timezone of the system time of the server hosting the KUMA Core in the format +-hh:mm.
Type	Type of the audit event. Audit or Base.
TenantID	ID of the main tenant.
DeviceVendor	Kaspersky
DeviceProduct	KUMA
EndTime	Event creation time.
SpaceID	KUMA Audit

In this section User was successfully signed in or failed to sign in User login changed User role was changed Other data of the user was changed User logged out User password was changed User was created User role was assigned User role was revoked The user has edited the set of fields settings to define sources Alert assigned to the user User access token was changed Key file added Application activated with an activation code Reserve license key added Reserve license key deleted License renewed Invalid activation code License key blocked License key deleted License replaced EPS exceeded License expiration and start of grace period End of grace period Expired license key added Changed the set of spaces to differentiate access to events Service monitoring thresholds changed KUMA Core settings modified GeoIP databases imported Service was created Service was deleted Service was reloaded Service was restarted Service was started Service was paired Service status was changed Partition index was deleted by user Partition automatically deleted after retention period Partition deleted by absolute retention period Partition deleted by relative retention period Partition moved to cold storage Error moving partition to cold storage Active list was successfully cleared or operation failed Active list item was successfully changed, or operation was unsuccessful Active list item was successfully deleted or operation was unsuccessful Active list was successfully imported or operation failed Active list was exported Context table exported Context table successfully imported or operation failed Context table item successfully modified or operation failed Context table item successfully deleted or operation failed Context table successfully cleared or operation failed Resource was added Resource was deleted Resource was updated Importing resources Asset was created Asset was deleted Asset category was added Asset category was deleted Settings were updated Tenant was created Tenant was enabled Tenant was disabled Other tenant data was changed The dictionary was successfully updated on the service or operation was unsuccessful Dictionary entry added Dictionary entry successfully deleted or the operation failed Incident successfully created or operation failed Incident successfully closed or operation failed Incident assigned to a user or operation failed Alert linked to an incident or alert unlinked from an incident, or operation failed VictoriaMetrics alert registered for service or operation failed Event linked to an alert or unlinked from an alert, or operation failed Response in Active Directory Extended event schema field created Extended event schema field edited Extended event schema field imported Normalizer with extended event schema field imported Extended event schema field deleted Query sent to KIRA KICS/KATA response Kaspersky Automated Security Awareness Platform response KEDR response Importing MITRE ATT&CK techniques and tactics

Page top