Kaspersky Unified Monitoring and Analysis Platform
Editing extended event schema fields

Users with the General administrator, Tenant administrator, Tier 2 analyst, Tier 1 analyst, Junior analyst, Manage shared resources roles can edit existing extended event schema fields.

To edit an extended event schema field:

  1. In the KUMA web console, in the Settings → Extended event schema fields section, click the name of the field that you want to edit.

    This opens the Edit extended schema pane. This pane displays the settings of the selected field, as well as the Dependencies table with a list of resources, dashboard layouts, reports, presets, and sets of fields for finding event sources that use this field. Only resources to whose tenants you have access are displayed. If the field is used by resources to whose tenant you do not have access, such resources are not displayed in the table. Resources in the table are sorted by name.

    Clicking the name of a resource or entity takes you to its page (except for dashboard resources, presets, and saved user queries).

  2. Make the changes you need in the available settings.

    You can edit the Type and Field name settings only if the extended event schema field does not have dependencies. You can edit the Status and Description settings for any extended event scheme field. However, a field with the Disabled status is still used in resource configurations that are already operational, until you manually remove the field from the configuration; the field also remains available in the list of table columns in the Events section for managing old events.

    Disabling an extended event schema field using the Status field requires the General administrator role.

  3. Click the Save button.

The extended event schema field is updated. An audit event is generated about the modification of the field.