KEDR response

Event field name	Field value
`DeviceAction`	`KEDR response`
`DeviceFacility`	`manual response` or `automatic response`
`EventOutcome`	`succeeded` or `failed`
`Message`	Description of the error, if an error occurred, otherwise the field is empty.
`SourceTranslatedAddress`	This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.
`SourceAddress`	The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.
`SourcePort`	Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.
`SourceUserName`	Login of the user who sent the request.
`SourceUserID`	ID of the user who sent the request.
`SourceAssetID`	KUMA asset ID which causes the response. The value is not specified if the response is based on a hash or for all assets.
`DeviceExternalID`	The external ID assigned to KUMA in KEDR. If there is only one external ID, it is not filled in when started on user hosts.
`DeviceCustomString1`	List of IP/FQDN addresses of the asset for the host prevention rule based on the selected hash from the event card.
`DeviceCustomString1Label`	`user defined list of ips or hostnames`
`DeviceCustomString2`	Sensor ID parameter in KEDR (UUIDv4 \| 'all' \| 'custom').
`DeviceCustomString2Label`	`sensor id of asset in KATA/EDR`
`ServiceID`	ID of the service that caused the response. Filled in only in case of automatic response.
`DeviceCustomString3`	Task type name: `enable_network_isolation`, `disable_network_isolation`, `enable_prevention`, `disable_prevention`, `run_process`.
`DeviceCustomString3Label`	`kedr response kind`
`DeviceCustomString5`	Tenant ID.
`DeviceCustomString5Label`	`tenant ID`
`DeviceCustomString6`	Tenant name.
`DeviceCustomString6Label`	`tenant name`

Page top