Additional information about the event in the CEF message

Key	Value	Usage
`source`	The domain (pod name) of the event source (Source name).	In all events
`src`	One of the following IP addresses in an IPv4 network (Source IP Address): for network traffic – the IP address of the connection source for administration events – the IP address of the action initiator	`ADM-XXX, CVE-XXX, MLW-XXX, SD-XXX, MS-XXX, CI-ХХХ, PLC-ХХХ, API-ХХХ, NT-ХХХ, FNT-XXX, FHL-XXX`
`reason`	Description of the Reason of the Error status.	In all events with the Error status, except `AG-XXX, PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX`
`fname`	One of the following artifact types (Artifact name): Name of the image (artifact) For `RBAC-XXX`, the name of the object with which the event occurred.	`ADM-XXX, CMP-XXX, NCMP-XXX, CI-ХХХ, PLC-ХХХ, SJ-ХХХ, RBAC-XXX, CVE-XXX, MLW-XXX, SD-XXX, MS-XXX`
`suser`	The name of the user that initiated the action (Source username)	`ADM-XXX, CVE-XXX, MLW-XXX, SD-XXX, MS-XXX, CI-ХХХ, PLC-ХХХ, API-ХХХ, NT-ХХХ, FNT-XXX, FHL-XXX`
`duser`	Name of the user with which the action was performed (Destination username)	`ADM-XXX, FHL-XXX`
`dpid`	Process identifier (PID)	`PM-ХХХ, FM-ХХХ, FPM-XXX, FFM-XXX, FFTP-XXX, FLP-XXX, FHL-XXX`
`spid`	Parent process identifier (PPID)	`PM-ХХХ, FM-ХХХ, FPM-XXX, FFM-XXX, FLP-XXX, FHL-XXX`
`flexString1`	Effective Group Identifier (EGID)	`PM-ХХХ, FM-ХХХ, FPM-XXX, FFM-XXX, FLP-XXX`
	Security policy type (Policy type)	`ADM-XXX, CI-XXX, PLC-XXX`
	Report name	`ADM-XXX`
	Danger level of the detected object (Detect danger level)	`FFTP-XXX`
	Node monitoring	`AG-XXX`
`flexString2`	Container ID	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FLP-XXX, FCL-XXX`
	Policy name	`ADM-XXX, CI-XXX, PLC-XXX, RT-XXX`
	Application scope name	`ADM-XXX`
`flexString3`	Return Value	`PM-ХХХ, FM-ХХХ, FPM-XXX, FFM-XXX`
`flexString3`	Type of integration with image signature validators (Image sign validator type)	`ADM-XXX`
`flexString4`	Names of related policies that were applied to detect the incident while investigating of security events (Related policies)	`FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FCL-XXX, FLP-XXX`
`flexString4`	Name of integration with image signature validators (Image sign validator name)	`ADM-XXX`
`outcome`	Execution status or mode (Status) The value is defined as follows: For runtime events (`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`), the execution mode (Audit, Enforce, or Other) is specified. For authorization logging events on the host, the result of logging in to the host OS is displayed (Success or Failure). For other events, the execution status is specified (Success or Error). If the status is Error, the solution also transfers the error text or code (`reason`).	In all events
`request`	Image name	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX, FCL-XXX`
`fileHash`	Image digest	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX, FCL-XXX`
`act`	One of the following operation types (Action): for file operations – the type of operation (`open`, `close`, `read`, `write`, `create`, `delete`, `chmod`, `chown`, `rename`) for network traffic – direction and type of traffic (`egress`, `ingress`, `egress_response`, `ingress_response`) for processes – the `exec` value for File Threat Protection operations – the `ftp` value For the logging of authorization events in the host OS, the type of local connection.	`FM-ХХХ, FFM-XXX, FCL-XXX, RBAC-XXX, ADM-XXX, CVE-XXX, MLW-XXX, SD-XXX, MS-XXX, FHL-XXX`
`spt`	Source port	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`
`dst`	IP address of the destination in the IPv4 network (Destination IP)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`
`dpt`	Destination port	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`
`dproc`	Process name (command)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`
`duid`	One of the following parameters: Effective User Identifier (EUID) For logging host OS authorization events, the user identifier which the login was performed.	`PM-ХХХ, FM-ХХХ, FPM-XXX, FFM-XXX, FFTP-XXX, FLP-XXX, FHL-XXX`
`filePermission`	One of the following permission sets (`File Permission`): For `FM-XXX`, `FFM-XXX`, file access permissions For `FCL-XXX`, the functionality set of the container.	`FM-ХХХ, FFM-XXX, FCL-XXX`
`oldFilePath`	Previously used file path (Old File Path)	`FM-ХХХ, FFM-XXX`
`filePath`	Path to the file (Path) For events involving access to objects in the file system of a container, `filePath` is used to pass information about the new path to the file (New file path).	`PM-ХХХ, FM-ХХХ, FPM-XXX, FFM-XXX, FFTP-XXX, FCL-XXX`
`deviceDirection`	Connection type (Traffic type) 0 for ingress connections, 1 for egress connections.	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`
`cn1`	New process identifier (New PID)	`PM-ХХХ`, `FPM-XXX`
`cn1`	Total number of events of the selected type on the node per minute (Total events per minute)	`AG-XXX`
`cn2`	The number of events lost on the node per minute (Lost events amount)	`AG-XXX`
`cn3`	Percentage of events lost over a minute (Lost events percentage)	`AG-XXX`
`cs1`	Cluster name	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX, FLP-XXX, FCL-XXX, RBAC-XXX, BNCH-XXX, FHL-XXX`
	Role name	`ADM-XXX`
	Name of the accepted risk (Risk name)	`CVE-XXX, MLW-XXX, SD-XXX, MS-XXX`
	Scanner name	`SJ-XXX`
	Path that the user accessed (End point)	`API-XXX`
`cs2`	Node name	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FLP-XXX, FCL-XXX, BNCH-XXX, AG-XXХ, FHL-XXX`
	User that initiated the change (RBAC initiator)	`RBAC-XXX`
	Name of the LDAP group that the user belongs to (Active Directory group name)	`ADM-XXX`
	Scan job ID applied by the scanner (Job ID)	`SJ-XXX`
`cs3`	Namespace name	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FLP-XXX, FCL-XXX, RBAC-XXX`
	Name of the modified repository (Repository name)	`ADM-XXX`
	Name of the triggered benchmark rule (Benchmark name)	`BNCH-XXX`
	Name of the terminal through which the login attempt was made (TTY)	`FHL-XXX`
	Agent name	`AG-XXX`
	Component name	`CORE-XXX`
`cs4`	Executed command (Command)	`PM-ХХХ, FPM-XXX`
	Information about the new owner (New owner)	`FM-ХХХ, FFM-XXX`
	Information about the groups of the initiator (Initiator groups)	`RBAC-XXX`
	Name of the image registry (Registry name)	`ADM-XXX`
	Mode of the file interceptor that is enabled in the settings of the File Threat Protection component in the Container Runtime Profile (File interceptor mode)	`FFTP-XXX`
	Command from the command line (cmd) for a sudo operation (Operation).	`FHL-XXX`
`cs5`	Pod name	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FCL-XXX, CORE-XXX`
`cs5`	Type of integration with outputs (Integration type)	`ADM-XXX`
`cs6`	Container name	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FCL-XXX`
`cs6`	Integration name	`ADM-XXX`
`cs7`	Node IP	`PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FFM-XXX, FNT-XXX, FFTP-XXX, FCL-XXX, RBAC-XXX, AG-XXX, FHL-XXX`
`cs7`	Address of the connected LDAP server (Server name)	`ADM-XXX`
`cs8`	Unique Kaspersky Container Security instance ID (KСS ID) KCS ID does not change when the pod is changed.	In all events, except `PM-XXX, FM-XXX, NT-XXX`
`cs9`	Event ID in ClickHouse (Event ID)	In all events, except `PM-XXX, FM-XXX, NT-XXX`
`malwareName`	Name of the detected malware (Malware name)	`FFTP-XXX`
`malwareType`	Type of the detected malware (Malware type)	`FFTP-XXX`
`fileHashMd5`	MD5 hash of the malicious file (File hash (MD5))	`FFTP-XXX`
`fileHashSha256`	SHA256 hash of the malicious file (File hash (SHA256))	`FFTP-XXX`
`cat`	Name of the event category within the File Threat Protection component (Event category)	`FFTP-XXX`
`ownerId`	ID of the user that launched the malicious file (Owner ID)	`FFTP-XXX`
`objectId`	ID of the object detected by the File Threat Protection component (Object ID)	`FFTP-XXX`
`operInitiator`	Initiator of an operation with a container (Operation initiator)	`FCL-XXX`
`fileType`	Type of the object with which the event occurred (Object type)	`RBAC-XXX`
`privileged`	Whether the container has privileged access to all objects on the host device (Privileged)	`FCL-XXX`
`roRootFs`	Whether writing to the root file system of the container is prohibited (ReadonlyRootfs)	`FCL-XXX`
`mountVolumes`	Mounted directories of the container (Mounted volumes)	`FCL-XXX`
`expPorts`	Associated ports that allow forwarding traffic from a port on a host device to a port of the container (Exposed ports)	`FCL-XXX`
`boundingCaps`	Maximum functionality set that can be assigned to a process or container, or used by a process or container (Bounding capabilities)	`FCL-XXX`
`effectiveCaps`	Set of functionality available to a process or container (Effective capabilities)	`FCL-XXX`
`inheritableCaps`	Set of functionality inherited by processes from their parent process (Inheritable capabilities)	`FCL-XXX`
`permittedCaps`	Functionality that defines the capabilities potentially available to the process (Permitted capabilities)	`FCL-XXX`
`flexDate1`	Event date	In all events, except `PM-XXX, FM-XXX, NT-XXX`
`flexDate2`	Expiration date of accepted risk (Expiration date)	`CVE-XXX, MLW-XXX, SD-XXX, MS-XXX`
`requestMethod`	Authorization method in the host OS (Connection method)	`FHL-XXX`
`app`	Protocol (SSH, TELNET, RDP) used for authorization in the host OS (Application protocol)	`FHL-XXX`

Page top