Content and properties of CEF messages about user activity in the web interface

The header of each message contains the following information:

Format version.
Current version number: 0. Current field value: CEF:0.
Vendor.
Current field value: AO Kaspersky Lab.
Application name.
Current field value: Kaspersky Anti Targeted Attack Platform.
Application version
The current field value is 5.1.0-6596.
Event type.
See the table below.
Event name.
See the table below.
Event importance.
Current field value: Low.

Example:

CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|5.1.0-6596|tasks|Managing tasks|Low|

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

Event type	Event name and description	Key and description of its value
`sensors`	`Managing the Sensor component` Connecting the Sensor component to the Central Node server, modifying component settings.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`sb`	`Configuring integration with the Sandbox component` Connecting the Sandbox component to the Central Node server.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`ex_integration`	`Configuring integration with external systems` Configuring integration with external systems.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`ksn_kpsn_mdr`	`Participation in KSN, KPSN and MDR` Configuring participation in Kaspersky Security Network, enabling or disabling the usage of Kaspersky Private Security Network, and configuring integration with Kaspersky Managed Detection and Response.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`yara`	`Managing YARA rules` Operations with YARA rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>. `device external ID` = <ID of the host in distributed solution mode>. `cs1label` = <name of the uploaded file>.
`ioc`	`Managing indicator of compromise` Operations with IOC rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>. `deviceExternalID` = <identifier of the host in distributed solution mode>.
`ids`	`Managing IDS rules` Operations with IDS rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>. `deviceExternalID` = <identifier of the host in distributed solution mode>.
`taa`	`Managing TAA rules` Operations with TAA (IOA) rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`sb rules`	`Managing Sandbox rules` Operations with Sandbox rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`prevention`	`Managing prevention rules` Operations with prevention rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`exclusions`	`Managing scan exclusions` Operations with scan exclusion rules.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
endpoint_agents	Managing Endpoint Agent hosts Operations with hosts on which the Endpoint Agent component is installed.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`tasks`	`Managing tasks` Operations with tasks.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`network_isolation`	`Network isolation of Endpoint Agent hosts` Network isolation of Endpoint Agent hosts.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`settings`	`Settings` Modifying Central Node server settings.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`settings`	`Settings` The set of virtual machine operating systems is changed to <version of the operating system set>.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>. `cs1label` = <name of the server where the settings were updated>.
`mt`	`Managing CN, PCN and SCN servers` Modifying the settings of Primary Central Node and Secondary Central Node servers in distributed solution and multitenancy mode. Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously. Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`user_account`	`Managing user accounts` Actions on user accounts.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`notifications`	`Sending notifications` Configuring email notifications.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.
`license`	`License` Managing the license key.	`dvs` = <IP address of the server>. `eventId` = <ID of the event>. `rt` = <event date and time>. `src` = <IP address of the user>. `user` = <user name>. `cs1` = <event type>.

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Page top