Standard header of the CEF message (syslog header)

The header is sent in the following format: <date> <time> <host name of the server>.

Feb 18 10:07:28 host

CEF format prefix and version

<CEF>:<version>

CEF:0

Event ID

Solution vendor (Device Vendor)

Solution name (Device Product)

Solution version (Device Version)

Kaspersky

Kaspersky Container Security

2.1

Unique event type ID (Signature ID)

Kaspersky Container Security sends the following event type IDs:

• ADM-ХХХ: Administration event.
• CVE-XXX: Risk acceptance with regard to a vulnerability or expiration of such risk acceptance.
• MLW-XXX: Risk acceptance with regard to a piece of malware or for expiration of such risk acceptance.
• NCMP-001: Non-compliance of an image with requirements.
• CMP-001: Compliance of an image with requirements.
• SD-XXX: Risk acceptance with regard to sensitive data or for expiration of such risk acceptance.
• MS-XXX: Risk acceptance with regard to misconfigurations or for expiration of such risk acceptance.
• CI-ХХХ: Event in the CI/CD process.
• PLC-ХХХ: Event when applying a secuity policy.
• BNCH-ХХХ: Event when scanning the cluster and nodes.
• AG-ХХХ: Event related to an agent state change.
• SJ-ХХХ: Event of the scanner.
• RT-ХХХ: Event of a best practice check.
• API-ХХХ: Request to API server.
• PM-ХХХ: Event when implementing processes.
• FM-ХХХ: Event involving access to objects in the container file system.
• NT-ХХХ: Network connection.
• FPM-XXX – an event of a runtime policy violation during a process
• FNT-XXX – an event of a runtime policy violation related to a network connection
• FFM-XXX – an event of a runtime policy violation related to an access to objects in the container file system
• FFTP-XXX – an event of a runtime policy violation related to File Threat Protection
• FCL-XXX – an event of a runtime policy violation related to the container lifecycle.
• RBAC-XXX – an event related to RBAC objects (create, modify, delete).
• FHL-XXX – a host OS authorization event.
• CORE-XXX – an event associated with a solution core component state change.

Some of the event type IDs sent by the solution:

• ADM-001: User 1 added user 2.
• CVE-001: User 1 accepted risk for image XXX
• AG-002: Agent XXX is disconnected
• BNCH-003: YYY was passed while scanning XXX
• PLC-001: YYY was applied to image XXX
• NCMP-001: Image XXX was marked as non-compliant
• SD-008: XXX risk acceptance expires

Description of the event (Name)

The description must be user-readable and relevant to the event type ID. For example, 'Administration' for ADM or 'Process management' for PM.

Some of the event names sent by the solution:

• Process management
• File management
• Networking

Importance of the event (Severity)

The severity of the event on a scale from 0 to 10 is determined as follows:

• 0–3: Low
• 4–6: Medium
• 7–8: High
• 9–10: Very high

The severity score of an event depends on the event type and status (Success or Failure).

For example, the severity score can be determined as follows:

• For PM (Process management) and NT (Networking) events:
  • If event status is Audited or Blocked, the severity is 7.
  • For any other status, the severity is 3.
• For AG (Agents) events:
  • If the event is successful, the severity is 5.
  • If an error occurred, the severity is 10.
• For API events:
  • If the event is successful, the severity is 3.
  • If an error occurred, the severity is 8.

Additional information about the event (Extension)

Additional information may include one or more sets of key-value pairs.

Information about the key-value pairs that Kaspersky Container Security transfers is provided below.