System event types of the Asset Management technology

Kaspersky Anti Targeted Attack Platform

Support Send link

For security officers: Getting started with the application web interface > Configuring NDR event types > System event types in Kaspersky Anti Targeted Attack Platform > System event types of the Asset Management technology

System event types of the Asset Management technology

This article describes the system event types of the Asset Management technology (see the table below).

System event types of the Asset Management (AM) technology

Code	Event type title	Conditions for registration
4000005003	Detected new device with the address $owner_ip_or_mac	With Asset Monitoring in monitoring mode, a new device was automatically added by the detected IP or MAC address, which is not specified for other devices in the table. When registering the event, the application may simultaneously register an Unauthorized device risk for this device. In this case, a relation is established the risk and the event. The following variables are used in the title and description of the event type: $owner_ip_or_mac: the IP or MAC address of the device $asset_name: the assigned name of the device $assigned_mac: the assigned MAC address (if defined) $owner_ip: the assigned IP address (if defined) $asset_id: the ID of the device
4000005004	Received new information about device with the address $owner_ip_or_mac	With Asset Monitoring in monitoring mode, device information was automatically updated based on information received from traffic. The following variables are used in the title and description of the event type: $owner_ip_or_mac: the IP or MAC address of the device $asset_name: the name of the device $updated_params: a list of updated information $asset_id: the ID of the device
4000005005	IP address conflict detected $owner_ip	With Asset Monitoring in monitoring mode, an IP address was detected that was not being used by the device for which the IP address was specified. The following variables are used in the title and description of the event type: $owner_ip: the IP address $challenger_asset_name: the name of the device that used the IP address $challenger_mac: the MAC address of the device that used the IP address $asset_name: the name of the device in whose settings the IP address was specified $owner_mac: the MAC address of the device in whose settings the IP address was specified $challenger_ips_lis: a list of other IP addresses of the device that used the IP address $asset_id: the ID of the device in whose settings the IP address was specified $challenger_id: the ID of the device that used the IP address
4000005006	Detected traffic from address $owner_ip_or_mac, which is assigned to device with the Archived status	With Asset Management in monitoring mode, or based on data received from an EPP application, activity was detected from a device that has the Archived status. When registering the event, the application may simultaneously register an Unauthorized device risk for this device. In this case, a relation is established the risk and the event. The following variables are used in the title and description of the event type: $owner_ip_or_mac: the IP or MAC address of the device $asset_name: the name of the device $last_seen_timestamp: the date and time when the device was last seen in the network $asset_id: the ID of the device
4000005007	Detected new IP address $new_ip_addr for device with the MAC address $owner_mac	With Asset Monitoring in monitoring mode, a new IP address used by a device was detected. The following variables are used in the title and description of the event type: $new_ip_addr: the detected IP address $owner_mac: the MAC address of the device $asset_name: the name of the device $owner_ips_list: a list of other IP addresses of the device $asset_id: the ID of the device
4000005008	New MAC address ($owner_mac) was added to device with IP address $owner_ip	In Asset Management monitoring mode, a MAC address was automatically added for a network interface that had only an IP address specified (the device had the Unauthorized or Archived status). The following variables are used in the title and description of the event type: $owner_mac: the detected MAC address of the device $owner_ip: the IP address of the device $asset_name: the name of the device $asset_id: the ID of the device
4000005009	New IP address ($owner_ip) was added to device with the MAC address $owner_mac	In Asset Management monitoring mode, an IP address was automatically added for a network interface that had only a MAC address specified (the device had the Unauthorized or Archived status). The following variables are used in the title and description of the event type: $owner_ip: the detected IP address of the device $owner_mac: the MAC address of the device $asset_name: the name of the device $asset_id: the ID of the device
4000005010	Detected new MAC address $new_mac_addr for device with the IP address $owner_ip	With Asset Monitoring in monitoring mode, a new MAC address used by a device was detected (with automatic update of address information disabled for this device). The following variables are used in the title and description of the event type: $new_mac_addr: the detected MAC address $owner_ip: the IP address of the device $asset_name: the name of the device $asset_id: the ID of the device
4000005011	Detected change of MAC address $owner_mac to $challenger_mac in device data received from EPP application	Based on information received from an EPP application, the MAC address of the device has been updated. The following variables are used in the title and description of the event type: $owner_mac: an old MAC address of the device $challenger_mac: a new MAC address of the device $asset_name: the name of the device $asset_id: the ID of the device
4000005012	New address information for device $asset_name found in data received from EPP application	New address information of a device was found in data received from an EPP application. An event of this type is registered if the change of the address information of the device has not been processed by the application as event 4000005009 or 4000005010. The following variables are used in the title and description of the event type: $asset_name: the name of the device $detected_epp_addresses: address information $asset_id: the ID of the device
4000005013	Conflict detected in addresses of devices $conflicted_epp_assets after data was received from EPP application	Based on the information received from the EPP application, a conflict with the addresses of multiple devices in Kaspersky Anti Targeted Attack Platform was detected. According to the information from the EPP application, the addresses belong to the same device. The following variables are used in the title and description of the event type: $conflicted_epp_assets: devices with conflicting addresses detected $unaccepted_epp_addresses: addresses that belong to the same device
4000005014	Subnet $subnet_mask was added from EPP application data	After getting information from an EPP application, a new subnet was automatically added to the list of known subnets. The subnet is added to the address space in which the data source can be the integration server getting information from the EPP application. If multiple such address spaces exist, an address space is selected that contains the most suitable subnet for automatically adding a new nested subnet. The following variables are used in the title and description of the event type: $subnet_mask: a subnet address $subnet_type: a subnet type
4000005016	Unauthorized DHCP server detected with IP address $owner_ip	The $asset_name device (ID: $asset_id) with the address $owner_ip_or_mac was identified as an unauthorized DHCP server. The following variables are used in the title and description of the event type: $asset_id: the ID of the device $owner_ip_or_mac: the IP or MAC address of the device
4000005017	Unauthorized DHCP relay detected with IP address $owner_ip	The $asset_name device (ID: $asset_id) with the address $owner_ip_or_mac was identified as an unauthorized DHCP relay. The following variables are used in the title and description of the event type: $asset_name: the name of the device $owner_ip_or_mac: the IP or MAC address of the device
4000005600	Changes detected in the list of users on the device with the address $owner_ip_or_mac	Changes to user information were detected while controlling users on devices. The following variables are used in the title and description of the event type: $owner_ip_or_mac: the IP or MAC address of the device $asset_name: a name of the device $asset_id: the ID of the device $added_asset_users: a list of added users $modified_asset_users: a list of modified users $removed_asset_users: a list of removed users
4000005601	Changes detected in the list of applications on the device with the address $owner_ip_or_mac	Modified information about applications on the device detected while monitoring applications and patches on devices. The following variables are used in the title and description of the event type: $owner_ip_or_mac: the IP or MAC address of the device $asset_name: a name of the device $asset_id: the ID of the device $added_asset_apps: a list of added applications $removed_asset_apps: a list of removed applications
4000005602	Changes detected in the list of patches on the device with the address $owner_ip_or_mac	Modified device patch information detected while monitoring applications and patches on devices. The following variables are used in the title and description of the event type: $owner_ip_or_mac: the IP or MAC address of the device $asset_name: a name of the device $asset_id: the ID of the device $added_asset_patches: a list of added patches $removed_asset_patches: a list of removed patches
4000005603	Changes detected in the configuration component $inventory_loc_key on the device	While monitoring device configurations, changes in the configuration component were detected as compared to the previous configuration according to device scan results (for jobs that run in the Update only and/or Archive versions configuration processing modes). The following variables are used in the title and description of the event type: $inventory_loc_key: the name of the configuration component $device_config_inventory_changed_format: the changes detected in the configuration component
4000005604	Discrepancies detected compared with the reference configuration component $inventory_loc_key on the device	When monitoring device configurations, discrepancies were found compared to the reference configuration component according to device scan results (for jobs that run in the Compare with benchmark configuration processing mode). The following variables are used in the title and description of the event type: $inventory_loc_key: the name of the configuration component $device_config_diverged_format: detected discrepancies compared to the reference configuration component
4000005700	Public key mismatch detected while connecting to the device remotely	When connecting to the device remotely, a mismatch was detected between the received public key of the device and the value stored in the application. Device scan canceled. The following variables are used in the description of the event type: $asset_name: the name of the device $new_asset_sshpublickey: received public key $old_asset_sshpublickey: stored public key
4000005701	Public key mismatch detected during device active polling	While actively polling a device, a mismatch was detected between the received public key of the device and the value stored in the application. Active polling canceled for the device. The following variables are used in the description of the event type: $asset_name: the name of the device $new_asset_sshpublickey: received public key $old_asset_sshpublickey: stored public key
4000000004	Test event (AM)	Test network packet detected (with device activity detection method enabled).

Article ID: 187476, Last review: Apr 18, 2025

Page top