Contents
- Appendices
- Commands for components manual starting and installing
- Integrity check of KUMA files
- Normalized event data model
- Alert data model
- Asset data model
- User account data model
- Audit event fields
- Event fields with general information
- User was successfully signed in or failed to sign in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage partition was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was successfully deleted
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were updated successfully
Appendices
This section provides information that complements the main document text with reference information.
Commands for components manual starting and installing
This section contains the parameters of KUMA's executable file /opt/kaspersky/kuma/kuma that can be used to manually start or install KUMA services. This may be useful for when you need to see output in the server operating system console.
Commands parameters
Commands |
Description |
|
Start KUMA administration tools. |
|
Install, start, or remove a collector service. |
|
Install, start, or uninstall a Core service. |
|
Install, start, or remove a correlator service. |
|
Install, start, or remove an agent service. |
|
Get information about available commands and parameters. |
|
Get information about license. |
|
Start or install a Storage. |
|
Get information about version of the program. |
Flags:
-h, --h are used to get help about any kuma command. For example, kuma <component> --help.
Examples:
kuma versionis used to get version of the KUMA installer.kuma core -his used to get help aboutcorecommand of KUMA installer.kuma collector --core <address of the server where the collector should obtain its settings> --id <ID of the installed service> --api.port <port>is used to start collector service installation.
Integrity check of KUMA files
The integrity of KUMA components is checked using a set of scripts based on the integrity_checker tool and located in the/opt/kaspersky/kuma/integrity/bin directory. An integrity check uses manifest xml files in the/opt/kaspersky/kuma/integrity/manifest/* directory, signed with a Kaspersky cryptographic signature.
Running the integrity check tool requires a user account with permissions at least matching those of the KUMA account.
The integrity check tool processes each KUMA component individually, and it must be run on servers that has the appropriate components installed. An integrity check also screens the xml file that was used.
To check the integrity of component files:
- Run the following command to navigate to the directory that contains the set of scripts:
cd /opt/kaspersky/kuma/integrity/bin - Then pick the command that matches the KUMA component you want to check:
./check_all.shfor KUMA Core and Storage components../check_core.shfor KUMA Core components../check_collector.shfor KUMA collector components../check_collector.shfor KUMA correlator components../check_storage.shfor storage components../check_kuma_exe.sh <full path to kuma.exe omitting file name> forKUMA Agent for Windows. The standard location of the agent executable file on the Windows device is: C:\Program Files\Kaspersky Lab\KUMA\.
The integrity of the component files is checked.
The result of checking each component is displayed in the following format:
- The Summary section describes the number of scanned objects along with the scan status: integrity not confirmed / object skipped / integrity confirmed:
- Manifests – the number of manifest files processed.
- Files – the number of KUMA files processed.
- Directories – integrity checking does not use KUMA.
- Registries – integrity checking does not use KUMA.
- Registry values – integrity checking does not use KUMA.
- Component integrity check result:
- SUCCEEDED – integrity confirmed.
- FAILED – integrity violated.
Normalized event data model
This section presents the KUMA normalized event data model. All events that are processed by KUMA Correlator to detect alerts must be compliant to this model.
Events that are not compliant to this data model must be imported into this format (or normalized) using Collectors.
Normalized event data model
Field name |
Value type |
Description |
|
Internal standard fields |
|
|
|
ID |
String |
Unique event ID of UUID type. It never changes its value The collector generates the ID for the base event that is generated in the collector. The correlator generates the ID of the correlation event. |
|
Timestamp |
Number, timestamp |
Time when the base event and correlation events were created in the collector. Time when the correlation event was created in the correlator. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
TenantID |
String |
Tenant ID. |
|
ServiceID |
String |
ID of the service instance: correlator, collector, storage. |
|
ServiceName |
String |
Name of the service instance that was assigned by the KUMA administrator to the service when it was created. |
|
AggregationRuleName |
String |
The name of the aggregation rule that processed the event. |
|
AggregationRuleID |
String |
ID of the aggregation rule that processed the event. |
|
CorrelationRuleName |
String |
Name of the correlation rule that triggered the creation of the correlation event. It is filled in only for the correlation event. |
|
CorrelationRuleID |
String |
ID of the correlation rule that triggered the creation of the correlation event. It is filled in only for the correlation event. |
|
GroupedBy |
Nested list of strings |
List of names of the fields that were used for grouping in the correlation rule. It is filled in only for the correlation event. |
|
Priority |
Number |
Event severity level. |
|
Code |
String |
In a base event, this is the code of a process, function or operation return from the source. In a correlation event, the alert code for the first line support or the template code of the notification to be submitted is written to this field.
|
|
Tactic |
String |
Name of the tactic from MITRE. |
|
Technique |
String |
Name of the technique from MITRE. |
|
ReplayID |
String |
ID of the retroscan that generated the event. |
|
Raw |
String |
Unalterable text of the source "raw" event. |
|
SourceAssetID |
String |
ID of the destination asset. |
|
DestinationAssetID |
String |
ID of the source asset. |
|
DeviceAssetID |
String |
Asset ID. |
|
SourceAccountID |
String |
ID of the destination account. |
|
DestinationAccountID |
String |
ID of the source account. |
|
SpaceID |
String |
ID of the space. |
|
BaseEvents |
Nested [Event] list |
Nested structure containing a list of base events. This field can be filled in for correlation events. |
|
TI |
Nested [string:string] dictionary |
Field that contains categories in a dictionary format received from an external Threat Intelligence source based on indicators from an event. |
|
Extra |
Nested [string:string] dictionary |
During normalization of a raw event, this field can be used to place those fields that have not been mapped to KUMA event fields. This field can be filled in only for base events. |
|
AffectedAssets |
Nested [Affected] structure |
Nested structure from which you can query alert-related assets and user accounts, and find out the number of times they appear in alert events. |
|
CEF standard fields |
|
|
|
DeviceVendor |
String |
Name of the log source producer. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
|
DeviceProduct |
String |
Product name from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
|
DeviceVersion |
String |
Product version from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
|
DeviceEventClassID |
String |
Unique ID for the event type from the log source. Certain log sources categorize events. |
|
Name |
String |
Event name in the raw event. |
|
Severity |
String |
Error severity from the raw event. |
|
DeviceAction |
String |
Action taken by a device or by a log source. For example, blocked, detected. |
|
ApplicationProtocol |
String |
Application-layer protocol such as HTTP or Telnet. |
|
DeviceCustomIPv6Address1 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address1Label |
String |
Description of the purpose of the DeviceCustomIPv6Address1 field. |
|
DeviceCustomIPv6Address2 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address2Label |
String |
Description of the purpose of the DeviceCustomIPv6Address2 field. |
|
DeviceCustomIPv6Address3 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address3Label |
String |
Description of the purpose of the DeviceCustomIPv6Address3 field. |
|
DeviceCustomIPv6Address4 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address4Label |
String |
Description of the purpose of the DeviceCustomIPv6Address4 field. |
|
DeviceEventCategory |
String |
Raw event category from the diagram defining the categories of log source events. |
|
DeviceCustomFloatingPoint1 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint1Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint1 field. |
|
DeviceCustomFloatingPoint2 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint2Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint2 field. |
|
DeviceCustomFloatingPoint3 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint3Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint3 field. |
|
DeviceCustomFloatingPoint4 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint4Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint4 field. |
|
DeviceCustomNumber1 |
Number |
Field for the integer value that cannot be mapped to any other field of the data model. This field is customizable.
|
|
DeviceCustomNumber1Label |
String |
Description of the purpose of the DeviceCustomNumber1 field. |
|
DeviceCustomNumber2 |
Number |
Field for the integer value that cannot be mapped to any other field of the data model. This field is customizable.
|
|
DeviceCustomNumber2Label |
String |
Description of the purpose of the DeviceCustomNumber2 field. |
|
DeviceCustomNumber3 |
Number |
Field for the integer value that cannot be mapped to any other field of the data model. This field is customizable.
|
|
DeviceCustomNumber3Label |
String |
Description of the purpose of the DeviceCustomNumber3 field. |
|
BaseEventCount |
Number |
Number of base events combined into an aggregated event. |
|
DeviceCustomString1 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString1Label |
String |
Descriptions of the purpose of the DeviceCustomString1 field. |
|
DeviceCustomString2 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString2Label |
String |
Descriptions of the purpose of the DeviceCustomString2 field. |
|
DeviceCustomString3 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString3Label |
String |
Descriptions of the purpose of the DeviceCustomString3 field. |
|
DeviceCustomString4 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString4Label |
String |
Descriptions of the purpose of the DeviceCustomString4 field. |
|
DeviceCustomString5 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString5Label |
String |
Descriptions of the purpose of the DeviceCustomString5 field. |
|
DeviceCustomString6 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString6Label |
String |
Descriptions of the purpose of the DeviceCustomString6 field. |
|
DestinationDnsDomain |
String |
The DNS domain portion of the complete fully qualified domain name (FQDN) of the destination, if the raw event contains the values of the traffic sender and recipient. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationServiceName |
String |
Service name on the traffic recipient's side. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationTranslatedAddress |
String |
IP address of the traffic recipient asset (after the address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationTranslatedPort |
Number |
Port number on the traffic recipient asset (after the recipient address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DeviceCustomDate1 |
Number, timestamp |
Field for the Timestamp-type value that cannot be mapped to any other field of the data model. This field is customizable. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
DeviceCustomDate1Label |
String |
Field for describing the purpose of the DeviceCustomDate1 field. |
|
DeviceCustomDate2 |
Number, timestamp |
Field for the Timestamp-type value that cannot be mapped to any other field of the data model. This field is customizable. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
DeviceCustomDate2Label |
String |
Field for describing the purpose of the DeviceCustomDate2 field. |
|
DeviceDirection |
Number |
Field for a description of the connection direction from the raw event.
|
|
DeviceDnsDomain |
String |
The DNS domain part of the complete fully qualified domain name (FQDN) of the asset IP address from which the raw event was received. |
|
DeviceExternalID |
String |
External unique ID of the device if it is communicated in the raw event. |
|
DeviceFacility |
String |
Facility from the raw event, if one exists. For example, the Facility field in the Syslog can be used to transmit the OS component name where an error occurred.
|
|
DeviceInboundInterface |
String |
Name of the incoming connection interface. |
|
DeviceNtDomain |
String |
Windows Domain Name of the device. |
|
DeviceOutboundInterface |
String |
Name of the outgoing connection interface. |
|
DevicePayloadID |
String |
The payload's unique ID associated with the raw event. |
|
DeviceProcessName |
String |
Name of the process from the raw event. |
|
DeviceTranslatedAddress |
String |
Retranslated IP address of the device from which the raw event was received. |
|
DestinationHostName |
String |
Host name of the traffic receiver. FQDN of the traffic recipient, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationMacAddress |
String |
MAC address of the traffic recipient asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationNtDomain |
String |
Windows Domain Name of the traffic recipient device. |
|
DestinationProcessID |
Number |
ID of the system process that is associated with the traffic recipient in the raw event. For example, if Process ID 105 is specified in the event, DestinationProcessId=105. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationUserPrivileges |
String |
Names of user roles that identify user privileges at the destination. For example, "User", "Guest", or "Administrator". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationProcessName |
String |
Name of the system process at the destination. For example, "sshd" or "telnet". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationPort |
Number |
Port number at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationAddress |
String |
Destination IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DeviceTimeZone |
String |
Timezone of the device where the event was generated. The default timezone is the collector or correlator system time. If the event is configured to be enriched with timezone information, the field specifies the timezone from the enrichment rule. If the time zone of the event source was specified in the raw event and this data was saved during normalization, information about the time zone of the event source is saved in the event field. The format of the field value is +-hh:mm. |
|
DestinationUserID |
String |
User ID at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationUserName |
String |
User name at the destination. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DeviceAddress |
String |
IPv4 address of the asset from which the event was received. |
|
DeviceHostName |
String |
Name of the asset host from which the event was received. FQDN of the asset, if available. |
|
DeviceMacAddress |
String |
MAC address of the asset from which the event was received. FQDN of the asset, if available. |
|
DeviceProcessID |
Number |
ID of the system process on the device that generated the event. |
|
EndTime |
Number |
Timestamp when the event was terminated. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
ExternalID |
String |
ID of the device that generated the event. |
|
FileCreateTime |
Number |
Time of file creation from the event. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
FileHash |
String |
Hash of the file. |
|
FileID |
String |
File ID. |
|
FileModificationTime |
Number |
Time when the file was last modified. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
FilePath |
String |
File path, including the file name. |
|
FilePermission |
String |
List of file permissions. |
|
FileType |
String |
File type. For example, application, pipe, or socket. |
|
FlexDate1 |
Number, timestamp |
Field for the Timestamp-type value that cannot be mapped to any other field of the data model. This field is customizable. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
FlexDate1Label |
String |
Description of the purpose of the flexDate1 field. |
|
FlexString1 |
String |
Field for the String-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexString1Label |
String |
Description of the purpose of the flexString1 field. |
|
FlexString2 |
String |
Field for the String-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexString2Label |
String |
Description of the purpose of the flexString2 field. |
|
FlexNumber1 |
Number |
Field for the integer type that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexNumber1Label |
String |
Description of the purpose of the flexNumber1 field. |
|
FlexNumber2 |
Number |
Field for the integer type that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexNumber2Label |
String |
Description of the purpose of the flexNumber2 field. |
|
FileName |
String |
Filename without specifying the file path. |
|
FileSize |
Number |
File size. |
|
BytesIn |
Number |
Number of bytes received by the source and sent to the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.
|
|
Message |
String |
Short description of the error or problem from the raw event. |
|
OldFileCreateTime |
Number |
Time when the OLD file was created from the event. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
OldFileHash |
String |
Hash code of the OLD file. |
|
OldFileID |
String |
ID of the OLD file. |
|
OldFileModificationTime |
Number |
Time when the OLD file was last modified. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
OldFileName |
String |
Name of the OLD file (without the file path). |
|
OldFilePath |
String |
Path to the OLD file, including the file name. |
|
OldFilePermission |
String |
Path to the OLD file, including the file name. |
|
OldFileSize |
Number |
Size of the OLD file. |
|
OldFileType |
String |
File type. For example, application, pipe, or socket. |
|
BytesOut |
Number |
Number of sent bytes. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
EventOutcome |
String |
Result of the action. For example, "success", "failure". |
|
TransportProtocol |
String |
Name of the OSI Layer 4 protocol (such as TCP or UDP). |
|
Reason |
String |
Short description of the audit reason in the audit messages. |
|
RequestUrl |
String |
URL of the request. |
|
RequestClientApplication |
String |
Agent that processed the request. |
|
RequestContext |
String |
Description of the request context. |
|
RequestCookies |
String |
Cookie files related to the request. |
|
RequestMethod |
String |
Method that was used to access the URL (such as POST or GET). |
|
DeviceReceiptTime |
Number |
Time when the event was received. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
SourceHostName |
String |
Name of the host of the traffic source. FQDN of the traffic source, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceDnsDomain |
String |
Windows Domain Name of the traffic source device. |
|
SourceServiceName |
String |
Name of the service at the traffic source. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceTranslatedAddress |
String |
Source translated IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceTranslatedPort |
Number |
Number of the translated port at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceMacAddress |
String |
MAC address of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceNtDomain |
String |
Windows Domain Name of the traffic source device. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceProcessID |
Number |
System process ID that is associated with the traffic source in the raw event. For example, if Process ID 105 is specified in the event, SourceProcessId=105. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceUserPrivileges |
String |
Names of user roles that identify user privileges at the source. For example, "User", "Guest", or "Administrator". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceProcessName |
String |
Name of the system process at the source. For example, "sshd" or "telnet". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourcePort |
Number |
Port number at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceAddress |
String |
Source IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
StartTime |
Number |
Timestamp of the action associated with the event began. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
SourceUserID |
String |
User ID at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceUserName |
String |
User name at the source. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
Type |
Number |
Indicator of the correlation event type. The following values are available:
|
|
Fields containing geographic data |
|
|
|
SourceCountry |
String |
Country matching the source IPv4 address from the SourceAddress field. |
|
SourceRegion |
String |
Region matching the source IPv4 address from the SourceAddress field. |
|
SourceCity |
String |
City matching the source IPv4 address from the SourceAddress field. |
|
SourceLatitude |
Number |
Longitude matching the source IPv4 address from the SourceAddress field. |
|
SourceLongitude |
Number |
Latitude matching the source IPv4 address from the SourceAddress field. |
|
DestinationCountry |
String |
Country matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationRegion |
String |
Region matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationCity |
String |
City matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationLatitude |
Number |
Longitude matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationLongitude |
Number |
Latitude matching the destination IPv4 address from the DestinationAddress field. |
|
DeviceCountry |
String |
Country matching the device IPv4 address from the DeviceAddress field. |
|
DeviceRegion |
String |
Region matching the device IPv4 address from the DeviceAddress field. |
|
DeviceCity |
String |
City matching the device IPv4 address from the DeviceAddress field. |
|
DeviceLatitude |
Number |
Longitude matching the device IPv4 address from the DeviceAddress field. |
|
DeviceLongitude |
Number |
Latitude matching the device IPv4 address from the DeviceAddress field.
|
|
Nested Affected structure
Field |
Data type |
Description |
|
Nested |
List and number of assets associated with the alert. |
|
Nested |
List and number of user accounts associated with the alert. |
Nested AffectedRecord structure
Field |
Data type |
Description |
|
String |
ID of the asset or user account. |
|
Number |
The number of times an asset or user account appears in alert-related events. |
Alert data model
This section describes the KUMA alert data model. Alerts are created by correlators whenever information security threats are detected using correlation rules. Alerts must be investigated to eliminate these threats.
Alert field |
Data type |
Description |
|
String |
Unique ID of the alert. |
|
String |
ID of the tenant that owns the alert. The value is inherited from the correlator that generated the alert. |
|
String |
Tenant name. |
|
String |
ID of the rule used as the basis for generating the alert. |
|
String |
Name of the correlation rule used as the basis for generating the alert. |
|
String |
Alert status. Possible values:
|
|
Number |
Alert severity. Possible values:
|
|
|
Parameter showing how the alert severity level was determined. Possible values:
|
|
Number |
Time when the first correlation event was created from the alert. |
|
Number |
Time when the last correlation event was created from the alert. |
|
Number |
Date of the last modification to the alert parameters. |
|
String |
ID of the KUMA user assigned to examine the alert. |
|
String |
Name of the KUMA user assigned to examine the alert. |
|
Nested list of strings |
List of event fields used to group events in the correlation rule. |
|
String |
Reason for closing the alert. Possible values:
|
|
|
Indicator that the alert is overflowed, which means that the size of the alert and the events associated with it exceeds 16 MB. Possible values:
|
|
String |
Maximum severity of the asset categories associated with the alert. |
|
String |
ID of the alert in the IRP / SOAR application, if integration with such an application is configured in KUMA. |
|
String |
Link to a section in the IRP / SOAR application that displays information about an alert imported from KUMA. |
|
String |
ID of the incident to which the alert is linked. |
|
String |
Name of the incident to which the alert is linked. |
|
String |
Name of the segmentation rule used to group correlation events in the alert. |
|
String |
ID of the hierarchy branch in which the alert was generated. Indicated for a hierarchical deployment of KUMA. |
|
String |
Name of the hierarchy branch in which the alert was generated. Indicated for a hierarchical deployment of KUMA. |
|
Nested |
Nested structure with lines indicating changes to alert statuses and assignments, and user comments. |
|
Nested |
Nested structure from which you can query the correlation events associated with the alert. |
|
Nested |
Nested structure from which you can query assets associated with the alert. |
|
Nested |
Nested structure from which you can query the user accounts associated with the alert. |
|
Nested |
Nested structure from which you can query alert-related assets and user accounts, and find out the number of times they appear in alert events. |
Nested Affected structure
Field |
Data type |
Description |
|
Nested |
List and number of assets associated with the alert. |
|
Nested |
List and number of user accounts associated with the alert. |
Nested AffectedRecord structure
Field |
Data type |
Description |
|
String |
ID of the asset or user account. |
|
Number |
The number of times an asset or user account appears in alert-related events. |
Nested EventWrapper structure
Field |
Data type |
Description |
|
Nested |
Event fields. |
|
String |
Comment added when events were added to the alert. |
|
Number |
Date when events were added to the alert. |
Nested Action structure
Field |
Data type |
Description |
|
Number |
Date when the action was taken on the alert. |
|
String |
User ID. |
|
String |
Type of action. |
|
String |
Value. |
|
Nested |
Event fields. |
|
String |
Cluster ID. |
Asset data model
The structure of an asset is represented by fields that contain values. Fields can also contain nested structures.
Asset field |
Value type |
Description |
|
String |
Asset ID. |
|
String |
Tenant name. |
|
Number |
Asset deletion date. |
|
Number |
Asset creation date. |
|
String |
Tenant ID. |
|
Nested list of strings |
Asset categories. |
|
Nested |
Changes asset categories. |
|
Nested dictionary:
|
IDs of incidents. |
|
Nested list of strings |
Asset IP addresses. |
|
String |
Asset FQDN. |
|
Number |
Asset importance. |
|
String with |
Indicator of whether the asset has been marked for deletion from KUMA. |
|
Number |
Date of last update of the asset. |
|
Nested list of strings |
Asset MAC addresses. |
|
Nested list of numbers |
IP address in number format. |
|
Nested |
Asset owner information. |
|
Nested |
Asset operating system information. |
|
String |
Asset name. |
|
Nested |
Software installed on the asset. |
|
Nested |
Asset vulnerabilities. |
|
String |
KICS for Networks server IP address. |
|
Number |
KICS for Networks connector ID. |
|
Number |
KICS for Networks asset ID. |
|
String |
KICS for Networks asset status. |
|
Nested |
Asset hardware information received from KICS for Networks. |
|
Nested |
Asset software information received from KICS for Networks. |
|
Nested |
Asset vulnerability information received from KICS for Networks. |
|
Nested |
Basic information about the asset from various sources. |
|
String with |
Indicator that asset details have been imported from KSC. |
|
String |
ID of the KSC Agent from which the asset information was received. |
|
String |
FQDN of the KSC Server. |
|
String |
KSC instance ID. |
|
String |
KSC Server host name. |
|
Number |
KSC group ID. |
|
String |
KSC group name. |
|
Number |
Date when information about the asset was last received from KSC. |
|
Nested dictionary:
|
Information about Kaspersky applications installed on the asset received from KSC. |
|
Nested |
Asset hardware information received from KSC. |
|
Nested |
Asset software information received from KSC. |
|
Nested |
Asset vulnerability information received from KSC. |
Nested Category structure
Field |
Value type |
Description |
|
String |
Category ID. |
|
String |
Tenant ID. |
|
String |
Tenant name. |
|
String |
Parent category. |
|
Nested list of strings |
Structure of categories. |
|
String |
Category name. |
|
Number |
Last update of the category. |
|
Number |
Category creation date. |
|
String |
Category description. |
|
Number |
Category importance. |
|
String |
Asset category assignment type. |
|
Number |
Categorization date. |
|
String |
Category assignment interval. |
Nested OwnerInfo structure
Field |
Value type |
Description |
|
String |
Name of the asset owner. |
Nested OS structure
Field |
Value type |
Description |
|
String |
Name of the operating system. |
|
Number |
Operating system version. |
Nested Software structure
Field |
Value type |
Description |
|
String |
Software name. |
|
String |
Software version. |
|
String |
Software publisher. |
|
String |
Installation date. |
|
|
Indicates whether the software has an MSI installer. |
Nested Vulnerability structure
Field |
Value type |
Description |
|
String |
Vulnerability ID assigned by Kaspersky. |
|
String |
Software name. |
|
String |
URL containing the vulnerability description. |
|
String |
Recommended update. |
|
String |
Recommended update. |
|
String |
Vulnerability severity. |
|
Number |
Vulnerability severity. |
|
Nested list of strings |
CVE vulnerability ID. |
|
|
Indicates whether an exploit exists. |
|
|
Indicates whether malware exists. |
Nested KICSSystemInfo structure
Field |
Value type |
Description |
|
String |
Device model. |
|
String |
Device version. |
|
String |
Vendor. |
Nested KICSRisk structure
Field |
Value type |
Description |
|
Number |
KICS for Networks risk ID. |
|
String |
Risk name. |
|
String |
Risk type. |
|
String |
Risk description. |
|
String |
Link to risk description. |
|
Number |
Risk severity. |
|
Number |
CVSS score. |
Nested Sources structure
Field |
Value type |
Description |
|
Nested |
Asset information received from KSC. |
|
Nested |
Asset information received through the REST API. |
|
Nested |
Manually entered information about the asset. |
|
Nested |
Asset information received from KICS for Networks. |
Nested Sources structure
Field |
Value type |
Description |
|
Nested list of strings |
Asset MAC addresses. |
|
Nested list of numbers |
IP address in number format. |
|
Nested |
Asset owner information. |
|
Nested |
Asset operating system information. |
|
String |
Asset name. |
|
Nested list of strings |
Asset IP addresses. |
|
String |
Asset FQDN. |
|
Number |
Asset importance. |
|
String with |
Indicator of whether the asset has been marked for deletion from KUMA. |
|
Number |
Date of last update of the asset. |
Nested structure ProductInfo
Field |
Value type |
Description |
|
String |
Software version. |
|
String |
Software name. |
Nested Hardware structure
Field |
Value type |
Description |
|
Nested |
List of network cards of the asset. |
|
Nested |
List of asset processors. |
|
Nested |
Asset RAM list. |
|
Nested |
List of asset drives. |
Nested NetCard structure
Field |
Value type |
Description |
|
String |
Network card ID. |
|
Nested list of strings |
MAC addresses of the network card. |
|
String |
Network card name. |
|
String |
Network card manufacture. |
|
String |
Driver version. |
Nested RAM structure
Field |
Value type |
Description |
|
String |
RAM frequency. |
|
Number |
Amount of RAM, in bytes. |
Nested CPU structure
Field |
Value type |
Description |
|
String |
CPU ID. |
|
String |
CPU name. |
|
String |
Number of cores. |
|
String |
Frequency. |
Nested Disk structure
Field |
Value type |
Description |
|
Number |
Available disk space. |
|
Number |
Total disk space. |
User account data model
User account fields can be queried from email templates and during event correlation.
Field |
Value type |
Description |
|
String |
User account ID. |
|
String |
Active Directory attribute. User account ID in Active Directory. |
|
String |
Tenant ID. |
|
String |
Tenant name. |
|
Number |
Last update of user account. |
|
String |
Domain. |
|
String |
Active Directory attribute. User name. |
|
String |
Active Directory attribute. Displayed user name. This attribute can be used for an event search during correlation. |
|
String |
Active Directory attribute. LDAP object name. This attribute can be used for an event search during correlation. |
|
String |
Active Directory attribute. Employee ID. |
|
String |
Active Directory attribute. User email address. This attribute can be used for an event search during correlation. |
|
String |
Active Directory attribute. Alternate email address. |
|
String |
Active Directory attribute. Mobile phone number. |
|
String |
Active Directory attribute. Security ID. |
|
String |
Active Directory attribute. Login. This attribute can be used for an event search during correlation. |
|
String |
Active Directory attribute. Phone number. |
|
String |
Active Directory attribute. User principal name (UPN). This attribute can be used for an event search during correlation. |
|
|
Indicator that determines whether a user account is obsolete. |
|
List of strings |
Active Directory attribute. AD groups joined by the user. This attribute can be used for an event search during correlation. |
|
|
Indicator that determines whether a user account should be designated as obsolete. |
|
Number |
User account creation date. |
|
String |
Active Directory attribute. Last name of the user. This attribute can be used for an event search during correlation. |
|
String |
Active Directory attribute. User account type. |
|
String |
Active Directory attribute. Job title of the user. |
|
String |
Active Directory attribute. User's department. |
|
String |
Active Directory attribute. User's division. |
|
String |
Active Directory attribute. User's supervisor. |
|
String |
Active Directory attribute. User's location. |
|
String |
Active Directory attribute. User's company. |
|
String |
Active Directory attribute. Company address. |
|
String |
Active Directory attribute. Delivery address. |
|
List of strings |
Active Directory attribute. Objects under control of the user. |
|
Number |
Active Directory attribute. AD account type. This attribute can be used for an event search during correlation. |
|
Number |
Active Directory attribute. User account creation date. |
|
Number |
Active Directory attribute. User account modification date. |
|
Number |
Active Directory attribute. User account expiration date. |
|
Number |
Active Directory attribute. Date of last unsuccessful login attempt. |
Audit event fields
Audit events are created when certain security-related actions are completed in KUMA. These events are used to ensure system integrity. This section contain information about audit event fields.
Event fields with general information
Every audit event has the event fields described below.
Event field name |
Field value |
ID |
Unique event ID in the form of an UUID. |
Timestamp |
Event time. |
DeviceHostName |
The event source host. For audit events, it is the hostname where kuma-core is installed, because it is the source of events. |
DeviceTimeZone |
Timezone of the system time of the server hosting the KUMA Core in the format +- |
Type |
Type of the audit event. For audit event the value is |
TenantID |
ID of the main tenant. |
DeviceVendor |
|
DeviceProduct |
|
EndTime |
Event creation time. |
User was successfully signed in or failed to sign in
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login. |
SourceUserID |
User ID. |
Message |
Description of the error; appears only if an error occurred during login. Otherwise, the field will be empty. |
User login successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
DeviceCustomString1 |
Current value of the login. |
DeviceCustomString1Label |
|
DeviceCustomString2 |
Value of the login before it was changed. |
DeviceCustomString2Label |
|
User role was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
DeviceCustomString1 |
Current value of the role. |
DeviceCustomString1Label |
|
DeviceCustomString2 |
Value of the role before it was changed. |
DeviceCustomString2Label |
|
Other data of the user was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
User successfully logged out
This event appears only when the user pressed the logout button.
This event will not appear if the user is logged out due to the end of the session or if the user logs in again from another browser.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login. |
SourceUserID |
User ID. |
User password was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
User was successfully created
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the user account. |
SourceUserID |
User ID that was used to create the user account. |
DestinationUserName |
User login for which the user account was created. |
DestinationUserID |
User ID for which the user account was created. |
DeviceCustomString1 |
Role of the created user. |
DeviceCustomString1Label |
|
User access token was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change the data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
ID of the user whose data was changed. |
Service was successfully created
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the service. |
SourceUserID |
User ID that was used to create the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Service was successfully deleted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the service. |
SourceUserID |
User ID that was used to delete the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DestinationAddress |
The address of the machine that was used to start the service. If the service has never been started before, the field will be empty. |
DestinationHostName |
The FQDN of the machine that was used to start the service. If the service has never been started before, the field will be empty. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Service was successfully reloaded
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to reset the service. |
SourceUserID |
User ID that was used to restart the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Service was successfully restarted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to restart the service. |
SourceUserID |
User ID that was used to restart the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Service was successfully started
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
Address that reported information about service start. It may be a proxy address if the information passed through a proxy. |
SourcePort |
Port that reported information about service start. It may be a proxy port if the information passed through a proxy. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DestinationAddress |
Address of the machine where the service was started. |
DestinationHostName |
FQDN of the machine where the service was started. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Service was successfully paired
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
Address that sent a service pairing request. It may be a proxy address if the request passed through a proxy. |
SourcePort |
Port that sent a service pairing request. It may be a proxy port if the request passed through a proxy. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Service status was changed
Event field name |
Field value |
DeviceAction |
|
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DestinationAddress |
Address of the machine where the service was started. |
DestinationHostName |
FQDN of the machine where the service was started. |
DeviceCustomString1 |
|
DeviceCustomString1Label |
|
DeviceCustomString2 |
|
DeviceCustomString2Label |
|
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Storage partition was deleted by user
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete partition. |
SourceUserID |
User ID that was used to delete partition. |
Name |
Index name. |
Message |
|
Storage partition was deleted automatically due to expiration
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
Name |
Index name |
SourceServiceName |
|
Message |
|
Active list was successfully cleared or operation failed
The event can be assigned the succeeded or failed status.
Since the request to clear an active list is made over a remote connection, a data transfer error may occur at any moment: both before and after deletion.
This means that the active list may be cleared successfully, but the event is assigned the failed status, because EventOutcome returns the TCP/IP connection status of the request, but not the succeeded or failed status of the active list clearing.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to clear the active list. |
SourceUserID |
User ID that was used to clear the active list. |
DeviceExternalID |
Service ID whose active list was cleared. |
ExternalID |
Active list ID. |
Name |
Active list name. |
Message |
If EventOutcome = |
DeviceCustomString5 |
Service tenant ID. Some errors prevent adding tenant information to the event. |
DeviceCustomString5Label |
tenant ID |
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
tenant name |
Active list item was successfully deleted or operation was unsuccessful
The event can be assigned the succeeded or failed status.
Since the request to delete an active list item is made over a remote connection, a data transfer error may occur at any moment: both before and after deletion.
This means that the active list item may be deleted successfully, but the event is assigned the failed status, because EventOutcome returns the TCP/IP connection status of the request, but not the succeeded or failed status of the active list item deletion.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the item from the active list. |
SourceUserID |
User ID that was used to delete the item from the active list. |
DeviceExternalID |
Service ID whose active list was cleared. |
ExternalID |
Active list ID. |
Name |
Active list name. |
DeviceCustomString1 |
Key name. |
DeviceCustomString1Label |
|
Message |
If EventOutcome = |
DeviceCustomString5 |
Service tenant ID. Some errors prevent adding tenant information to the event. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Active list was successfully imported or operation failed
Active list items are imported in parts via a remote connection.
Since the import is performed via a remote connection, a data transfer error can occur at any time: when the data is imported partially or completely. EventOutcome returns the connection status, not the import status.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to perform the import. |
SourceUserID |
User ID that was used to perform the import. |
DeviceExternalID |
Service ID for which an import was performed. |
ExternalID |
Active list ID. |
Name |
Active list name. |
Message |
If EventOutcome = |
DeviceCustomString5 |
Service tenant ID. Some errors prevent adding tenant information to the event. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name |
DeviceCustomString6Label |
|
Active list was exported successfully
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to perform the export. |
SourceUserID |
User ID that was used to perform the export. |
DeviceExternalID |
Service ID for which an export was performed. |
ExternalID |
Active list ID. |
Name |
Active list name. |
DeviceCustomString5 |
Service tenant ID. Some errors prevent adding tenant information to the event. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name |
DeviceCustomString6Label |
|
Resource was successfully added
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the resource. |
SourceUserID |
User ID that was used to add the resource. |
DeviceExternalID |
Resource ID. |
DeviceProcessName |
Resource name. |
DeviceFacility |
Resource type:
|
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Resource was successfully deleted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the resource. |
SourceUserID |
User ID that was used to delete the resource. |
DeviceExternalID |
Resource ID. |
DeviceProcessName |
Resource name. |
DeviceFacility |
Resource type:
|
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Resource was successfully updated
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to update the resource. |
SourceUserID |
User ID that was used to update the resource. |
DeviceExternalID |
Resource ID. |
DeviceProcessName |
Resource name. |
DeviceFacility |
Resource type:
|
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Asset was successfully created
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the asset. |
SourceUserID |
User ID that was used to add the asset. |
DeviceExternalID |
Asset ID. |
SourceHostName |
Asset ID. |
Name |
Asset name. |
DeviceCustomString1 |
Comma-separated IP addresses of the asset. |
DeviceCustomString1Label |
|
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Asset was successfully deleted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the asset. |
SourceUserID |
User ID that was used to add the asset. |
DeviceExternalID |
Asset ID. |
SourceHostName |
Asset ID. |
Name |
Asset name. |
DeviceCustomString1 |
Comma-separated IP addresses of the asset. |
DeviceCustomString1Label |
|
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Asset category was successfully added
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the category. |
SourceUserID |
User ID that was used to add the category. |
DeviceExternalID |
Category ID. |
Name |
Category name. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Asset category was deleted successfully
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the category. |
SourceUserID |
User ID that was used to delete the category. |
DeviceExternalID |
Category ID. |
Name |
Category name. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|
Settings were updated successfully
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to update the settings. |
SourceUserID |
User ID that was used to update the settings. |
DeviceFacility |
Type of settings. |
DeviceCustomString5 |
Tenant ID. |
DeviceCustomString5Label |
|
DeviceCustomString6 |
Tenant name. |
DeviceCustomString6Label |
|