You can use the extended event schema fields in normalizers for normalizing events and in other KUMA resources, for example, as widget fields or to filter and search for events. You can view the list of all extended event schema fields that exist in KUMA in the Settings → Extended event schema fields section. The list of extended event schema fields is the same for all tenants.
Only users with the General administrator, Tenant administrator, Tier 2 analyst, Tier 1 analyst, Junior analyst, Read shared resources, and Manage shared resources roles can view the table of extended event schema fields.
The Extended event schema fields table contains the following information:
You can click the name to edit the settings of the extended event schema field.
You can Enable or Disable the toggle switch to allow or forbid using this extended event schema field in new resources. However, a disabled field is still used in resource configurations that are already operational, until you manually remove the field from the configuration; the field also remains available in the list of table columns in the Events section for managing old events.
Only a user with the General administrator role can disable an extended event schema field.
You can click the number to open a pane with a table of all resources and other KUMA entities that are using this field. For each dependency, the table displays the name, tenant (only for resources), and type. Dependencies in the table are sorted by name. Clicking the name of a dependency takes you to its page (except for dashboard layouts, presets, and saved user queries).
You can view the dependencies of an extended event schema field only for resources and entities to whose tenants you have access. If you do not have access to the tenant, its resources are not displayed in the table, but still count towards the number of dependencies.
By default, the table of extended event schema fields is sorted by update date in descending order. If necessary, you can sort the table by clicking a column heading and selecting Ascending or Descending; you can also use context search by field name.
By default, the following service extended event schema fields are automatically added to KUMA:
KL_EventRoute, type S for storing information about the route of the event. You can use this field in normalizers, as a key or value in active lists, in enrichment rules, as a query field in data collection and analysis rules, in correlation rules. You cannot use this field to detect event sources.
KL_CorrelationRulePriority, type NKL_SourceAssetDisplayName, type SKL_DestinationAssetDisplayName, type SKL_DeviceAssetDisplayName, type SKL_SourceAccountDisplayName, type SKL_DestinationAccountDisplayName, type SYou cannot use this service fields to search for events.
You cannot edit, delete, export, or disable service fields. All extended event schema fields with the KL_ prefix are service fields and can be managed only from Kaspersky servers. We do not recommend using the KL_ prefix when adding new extended event schema fields.