Kaspersky Container Security
2.0
English

Contents

Matching of CEF message fields

CEF messages are sent in the English language.

The table below lists the man components of the header and body of CEF messages sent by Kaspersky Container Security.

Components and values of CEF message components

Component

Value

Example

Standard header of the CEF message (syslog header)

The header is sent in the following format: <date> <time> <host name of the server>.

Feb 18 10:07:28 host

CEF format prefix and version

<CEF>:<version>

CEF:0

Event ID

Device Vendor

Device Product

Device Version

Kaspersky

Kaspersky Container Security

2.0

Unique ID of the event type (Signature ID)

Kaspersky Container Security sends the following event type IDs:

  • ADM-ХХХ: Administration event.
  • CVE-XXX: Risk acceptance with regard to a vulnerability or expiration of such risk acceptance.
  • MLW-XXX: Risk acceptance with regard to a piece of malware or for expiration of such risk acceptance.
  • NCMP-001: Non-compliance of an image with requirements.
  • CMP-001: Compliance of an image with requirements.
  • SD-XXX: Risk acceptance with regard to sensitive data or for expiration of such risk acceptance.
  • MS-XXX: Risk acceptance with regard to misconfigurations or for expiration of such risk acceptance.
  • CI-ХХХ: Event in the CI/CD process.
  • PLC-ХХХ: Event when applying a secuity policy.
  • BNCH-ХХХ: Event when scanning the cluster and nodes.
  • AG-ХХХ: Event related to an agent.
  • SJ-ХХХ: Event of the scanner.
  • RT-ХХХ: Event of a best practice check.
  • API-ХХХ: Request to API server.
  • PM-ХХХ: Event when implementing processes.
  • FM-ХХХ: Event involving access to objects in the container file system.
  • NT-ХХХ: Network connection.
  • FPM-XXX – an event of a runtime policy violation during a process
  • FNT-XXX – an event of a runtime policy violation related to a network connection
  • FFM-XXX – an event of a runtime policy violation related to an access to objects in the container file system
  • FFTP-XXX – an event of a runtime policy violation related to File Threat Protection

Some of the event type IDs sent by the solution:

  • ADM-001: User 1 added user 2.
  • CVE-001: User 1 accepted risk for image XXX
  • AG-002: Agent XXX is disconnected
  • BNCH-003: YYY was passed while scanning XXX
  • PLC-001: YYY was applied to image XXX
  • NCMP-001: Image XXX was marked as non-compliant
  • SD-008: XXX risk acceptance expires

Event description (Name)

The description must be user-readable and relevant to the event type ID. For example, 'Administration' for ADM or 'Process management' for PM.

Some of the event names sent by the solution:

  • Process management
  • File management
  • Networking

Importance of the event (Severity)

The severity of the event on a scale from 0 to 10 is determined as follows:

  • 0–3: Low
  • 4–6: Medium
  • 7–8: High
  • 9–10: Very high

The severity score of an event depends on the event type and status (Success or Failure).

For example, the severity score can be determined as follows:

  • For PM (Process management) and NT (Networking) events:
    • If event status is Audited or Blocked, the severity is 7.
    • For any other status, the severity is 3.
  • For AG (Agents) events:
    • If the event is successful, the severity is 5.
    • If an error occurred, the severity is 10.
  • For API events:
    • If the event is successful, the severity is 3.
    • If an error occurred, the severity is 8.

Additional information about the event (Extension)

Additional information may include one or more sets of key-value pairs.

Information about the key-value pairs that Kaspersky Container Security transfers is provided below.

Additional information about an event which is transferred by Kaspersky Container Security

Key

Value

Usage

source

The domain (pod name) of the event source ( Source name)

In all events

src

One of the following IP addresses in an IPv4 network (Source IP):

  • for network traffic – the IP address of the connection source
  • for administration events – the IP address of the action initiator

In all events

reason

Description of the reason for the Error status ( Reason)

In all events with the Error status, except PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

fname

Image (artifact) name ( Artifact name)

CI-ХХХ, SJ-ХХХ, ADM-ХХХ, CVE-ХХХ, MLW-ХХХ, SD-ХХХ, MS-ХХХ, CMP-001, PLC-ХХХ, NCMP-001

suser

The name of the user who initiated the action ( Username)

In all events except PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dpid

Process ID (PID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

spid

Parent process ID (PPID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

flexString1

Effective Group ID (EGID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

flexString2

Container identifier Container ID

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

outcome

Execution status or mode (Status) The value is defined as follows:

  • For runtime events (PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX), the execution mode (Audit, Enforce, or Other) is specified.
  • For other events, the execution status is specified (Success or Error). If the status is Error, the solution also transfers the error text or code (reason).

In all events

request

The name of an image (Image name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

fileHash

Image hash (Image digest)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

act

One of the following operation types (Operation):

  • for file operations – the type of operation (open, close, read, write, create, delete, chmod, chown, rename)
  • for network traffic – direction and type of traffic (egress, ingress, egress_response, ingress_response)
  • for processes – the exec value
  • for File Threat Protection operations – the ftp value

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

spt

Port of the connection source (Source port)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dst

IP address of the destination in the IPv4 network (Destination IP)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dpt

Port of the destination (Destination port)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dproc

Process name (command) (Process name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

duid

Effective User ID (EUID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

filePermission

File access permissions (mode_t mode).

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

oldFilePath

The previously used path to the file (Old File Path)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

filePath

Path to the file (Path)

For events involving access to objects in the file system of a container, filePath is used to pass information about the new path to the file (New File Path).

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

deviceDirection

Connection direction type (Traffic type)

0 for ingress connections, 1 for egress connections.

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cn1

New process identifier (New PID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs1

Name of a cluster (Cluster name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs2

Name of a node (Node name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs3

Name of a namespace (Namespace name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs4

Executed command (Command)

For events involving access to objects in the file system of a container, cs4 is used to pass information about the new owner of the file (NewOwner).

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs5

Name of the pod (Pod name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs6

Name of the container (Container name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs7

IP address of the node (Node IP)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

Page top
[Topic 293652]