Matching of CEF message fields

Integration with third-party resources > Configuring integration with SIEM systems > Matching of CEF message fields

Matching of CEF message fields

CEF messages are sent in the English language.

The table below lists the man components of the header and body of CEF messages sent by Kaspersky Container Security.

Components and values of CEF message components

Component	Value	Example
Standard header of the CEF message (syslog header)	The header is sent in the following format: `<date>` `<time>` <`host name of the server`>.	`Feb 18 10:07:28 host`
CEF format prefix and version	`<CEF>:<version>`	`CEF:0`
Event ID	Device Vendor Device Product Device Version	`Kaspersky` `Kaspersky Container Security` `2.0`
Unique ID of the event type (Signature ID)	Kaspersky Container Security sends the following event type IDs: `ADM-ХХХ`: Administration event. `CVE-XXX`: Risk acceptance with regard to a vulnerability or expiration of such risk acceptance. `MLW-XXX`: Risk acceptance with regard to a piece of malware or for expiration of such risk acceptance. `NCMP-001`: Non-compliance of an image with requirements. `CMP-001`: Compliance of an image with requirements. `SD-XXX`: Risk acceptance with regard to sensitive data or for expiration of such risk acceptance. `MS-XXX`: Risk acceptance with regard to misconfigurations or for expiration of such risk acceptance. `CI-ХХХ`: Event in the CI/CD process. `PLC-ХХХ`: Event when applying a secuity policy. `BNCH-ХХХ`: Event when scanning the cluster and nodes. `AG-ХХХ`: Event related to an agent. `SJ-ХХХ`: Event of the scanner. `RT-ХХХ`: Event of a best practice check. `API-ХХХ`: Request to API server. `PM-ХХХ`: Event when implementing processes. `FM-ХХХ`: Event involving access to objects in the container file system. `NT-ХХХ`: Network connection. `FPM-XXX` – an event of a runtime policy violation during a process `FNT-XXX` – an event of a runtime policy violation related to a network connection `FFM-XXX` – an event of a runtime policy violation related to an access to objects in the container file system `FFTP-XXX` – an event of a runtime policy violation related to File Threat Protection	Some of the event type IDs sent by the solution: `ADM-001: User 1 added user 2`. `CVE-001: User 1 accepted risk for image XXX` `AG-002: Agent XXX is disconnected` `BNCH-003: YYY was passed while scanning XXX` `PLC-001: YYY was applied to image XXX` `NCMP-001: Image XXX was marked as non-compliant` `SD-008: XXX risk acceptance expires`
Event description (Name)	The description must be user-readable and relevant to the event type ID. For example, 'Administration' for ADM or 'Process management' for PM.	Some of the event names sent by the solution: `Process management` `File management` `Networking`
Importance of the event (Severity)	The severity of the event on a scale from 0 to 10 is determined as follows: 0–3: Low 4–6: Medium 7–8: High 9–10: Very high The severity score of an event depends on the event type and status (Success or Failure).	For example, the severity score can be determined as follows: For PM (`Process management`) and NT (`Networking`) events: If event status is `Audited` or `Blocked`, the severity is 7. For any other status, the severity is 3. For AG (`Agents`) events: If the event is successful, the severity is 5. If an error occurred, the severity is 10. For API events: If the event is successful, the severity is 3. If an error occurred, the severity is 8.
Additional information about the event (Extension)	Additional information may include one or more sets of key-value pairs.	Information about the key-value pairs that Kaspersky Container Security transfers is provided below.

Additional information about an event which is transferred by Kaspersky Container Security

Key	Value	Usage
`source`	The domain (pod name) of the event source ( Source name)	In all events
`src`	One of the following IP addresses in an IPv4 network (Source IP): for network traffic – the IP address of the connection source for administration events – the IP address of the action initiator	In all events
`reason`	Description of the reason for the Error status ( Reason)	In all events with the Error status, except `PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`fname`	Image (artifact) name ( Artifact name)	`CI-ХХХ`, `SJ-ХХХ`, `ADM-ХХХ`, `CVE-ХХХ`, `MLW-ХХХ`, `SD-ХХХ`, `MS-ХХХ`, `CMP-001`, `PLC-ХХХ`, `NCMP-001`
`suser`	The name of the user who initiated the action ( Username)	In all events except `PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dpid`	Process ID (PID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`spid`	Parent process ID (PPID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`flexString1`	Effective Group ID (EGID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`flexString2`	Container identifier Container ID	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`outcome`	Execution status or mode (Status) The value is defined as follows: For runtime events (`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`), the execution mode (Audit, Enforce, or Other) is specified. For other events, the execution status is specified (Success or Error). If the status is Error, the solution also transfers the error text or code (`reason`).	In all events
`request`	The name of an image (Image name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`fileHash`	Image hash (Image digest)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`act`	One of the following operation types (Operation): for file operations – the type of operation (`open`, `close`, `read`, `write`, `create`, `delete`, `chmod`, `chown`, `rename`) for network traffic – direction and type of traffic (`egress`, `ingress`, `egress_response`, `ingress_response`) for processes – the `exec` value for File Threat Protection operations – the `ftp` value	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`spt`	Port of the connection source (Source port)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dst`	IP address of the destination in the IPv4 network (Destination IP)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dpt`	Port of the destination (Destination port)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`dproc`	Process name (command) (Process name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`duid`	Effective User ID (EUID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`filePermission`	File access permissions (`mode_t mode`).	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`oldFilePath`	The previously used path to the file (Old File Path)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`filePath`	Path to the file (Path) For events involving access to objects in the file system of a container, `filePath` is used to pass information about the new path to the file (New File Path).	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`deviceDirection`	Connection direction type (Traffic type) 0 for ingress connections, 1 for egress connections.	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cn1`	New process identifier (New PID)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs1`	Name of a cluster (Cluster name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs2`	Name of a node (Node name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs3`	Name of a namespace (Namespace name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs4`	Executed command (Command) For events involving access to objects in the file system of a container, `cs4` is used to pass information about the new owner of the file (NewOwner).	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs5`	Name of the pod (Pod name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs6`	Name of the container (Container name)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`
`cs7`	IP address of the node (Node IP)	`PM-ХХХ`, `FM-ХХХ`, `NT-ХХХ`, `FPM-XXX`, `FNT-XXX`, `FFM-XXX`, `FFTP-XXX`

Article ID: 293652, Last review: Dec 5, 2024

Page top