Kaspersky Anti Targeted Attack Platform

Kaspersky Anti Targeted Attack Platform

Print Support Send link

Contents

System event types of the Endpoint Protection Platform technology

System event types of the Endpoint Protection Platform technology

This article describes the system event types of the Endpoint Protection Platform (see the table below).

System event type using the Endpoint Protection Platform (EPP) technology

Code	Event type title	Conditions for registration
4000005500	Activity specific for network attacks	The integration server received information about the triggering of the Network Threat Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005501	Connection of an untrusted external device	The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005502	Attempt to run an unauthorized or untrusted application	The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005503	Prohibited file operation in the specified monitoring scope	The integration server received information about the triggering of the File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005504	Files in the specified monitoring scope are modified	The integration server received information about the triggering of the Baseline File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005505	Network connection not allowed by firewall rules	The integration server received information about the triggering of the Firewall Management component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005506	System registry modifications in the specified monitoring scope	The integration server received information about the triggering of the Registry Access Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005507	Log analysis rule was triggered	The integration server received information about the triggering of the Log Inspection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005508	Attempt to exploit a vulnerability in a protected process	The integration server received information about the triggering of the Exploit Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005509	Attempt to maliciously encrypt network file resources	The integration server received information about the triggering of the Anti-Cryptor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005510	Attempt to connect to a Wi-Fi network	The integration server received information about the triggering of the Wi-Fi Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005512	Infected or probably infected object was detected	The integration server received information about the triggering of the Real-Time File Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.
4000005513	Sigma rule $sigmaAlertTitle triggered	The integration server received data about an Endpoint Agent component Sigma rule being triggered. The following variables are used in the title and description of the event type: $sigmaAlertTitle: Sigma rule name $sigma_detection_type: detection technology $sigma_object_type: the type of object that triggered the Sigma rule $sigma_object_name: the name of object that triggered the Sigma rule or the name of the first triggered Sigma rule $sigma_status: detection status