Categorization of events
Categorization allows you to use special tags (categories) to describe events of the same type coming from different sources. This helps to find events related to, for example, user authentication or command execution, and helps in writing correlation logic or displaying data in a dashboard or in reports. You can use the KUMA resource set to categorize certain types of events for specific types of event sources.
The following types of KUMA resources are used to categorize events:
- A dictionary with categories of events
- Enrichment rules for enriching events with supplemental information.
- A normalizer for creating an extended event schema field used in enrichment rules.
As part of categorization, the following attributes can be added to an event:
- Object
- Action
- Result
- Threat
- Source type
Additional attributes can be assigned to the event, which are saved in the SA.KL_EventCategory extended event schema field.
Descriptions of the possible values of the attributes used for categorizing events are provided in tables: Object attribute, Action attribute, Result attribute, Threat attribute, Source type attribute.
To customize the categorization of events on a collector:
- Import the [OOTB] Event Categorization package from the KUMA repository.
- In the collector, at the Event enrichment step, apply an event enrichment rule.
You can apply the enrichment rule when creating a new collector or for an existing collector. The rule that you need to apply depends on the event source. You can select a rule from the Categorization rules by event source table.
Event categorization works only when using Kaspersky normalizers.
- In the KUMA web interface, select the Resources → Active services section.
- Select the check box next to the modified collector and click the Update configuration button.
The enrichment rule is applied, and the categorization of events is performed.
Categorization rules by event source
System name |
Normalizer name |
Enrichment rule name |
Microsoft, OS event logs |
[OOTB] Microsoft Products for KUMA 3 |
[OOTB] Event categorization. Microsoft Products |
Microsoft Sysmon |
[OOTB] Microsoft Products for KUMA 3 |
[OOTB] Event categorization. Microsoft Products |
Auditd |
[OOTB] Linux auditd syslog for KUMA 3.2 |
[OOTB] Event categorization. Auditd |
Kaspersky Security Center |
[OOTB] KSC from SQL |
[OOTB] Event categorization. Kaspersky Security Center |
Kaspersky Security for Linux Mail Server |
[OOTB] KLMS syslog CEF |
[OOTB] Event categorization. Kaspersky Security for Linux Mail Server |
Kaspersky IoT Secure Gateway |
[OOTB] Kaspersky KISG syslog |
[OOTB] Event categorization. Kaspersky IoT Secure Gateway |
Kaspersky Container Security |
[OOTB] Syslog-CEF |
[OOTB] Event categorization. Kaspersky Container Security |
Kaspersky Industrial CyberSecurity for Networks |
[OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog |
[OOTB] Event categorization. Kaspersky Industrial CyberSecurity for Networks |
Kaspersky Web Traffic Security |
[OOTB] KWTS syslog CEF |
[OOTB] Event categorization. Kaspersky Web Traffic Security |
Kaspersky Mail Security Gateway |
[OOTB] KSMG syslog CEF |
[OOTB] Event categorization. Kaspersky Mail Security Gateway |
Object attribute
Value of the Object attribute |
Description |
account |
Accounts |
configuration |
Settings |
connection |
Network connection |
container |
Containers |
data |
Data or tables in the database |
dns |
DNS queries |
file |
Files |
group |
Groups |
host |
Host |
http |
WEB requests |
image |
DLLs and drivers |
malware |
Malicious object |
permission |
Rights and privileges |
process |
Process |
registry |
Registry keys |
service |
Services and daemons |
task |
Tasks |
VM |
Virtual machine |
device |
Token, USB device, attached device |
certificate |
Certificate |
Action attribute
Value of the Action attribute |
Description |
access |
Request or grant access to an object |
add |
Create or add |
authentication |
Authenticate |
block |
Block, prevent |
delete |
Delete |
detect |
Detect or quarantine |
end |
End of the process |
info |
Informational event about the object |
load |
Load object |
modify |
Modify settings or state of the object |
read |
Read |
receive |
Receive |
request |
Query |
send |
Send |
start |
Start of the process |
write |
Write |
Result attribute
Value of the Result attribute |
Description |
error |
Error |
failure |
Failure |
success |
Success |
Threat attribute
Value of the Threat attribute |
Description |
malware |
Malicious object in the file system |
vulnerability |
Vulnerability exploits |
attack |
Attack |
ddos |
Indicators of a DDoS attack |
phishing |
Indicators of phishing |
c2 |
Command and Control |
discovery |
Reconnaissance |
policy violation |
Violation of security policies |
tools |
Suspicious tools used |
escalation |
Privilege escalation |
Source type attribute
Value of the Source type attribute |
Description |
application |
Application-level events: logins, configuration changes, errors, and so on. |
AV |
Events received from anti-virus protection systems. |
database |
Events from databases related to data manipulation. |
IDS |
Events from traffic analyzers and network protection tools. |
network |
Events containing information about network connections coming from firewalls; also events from Netflow, Jflow, and so on. |
OS |
Events from the operating system, such as Windows, Linux, Cisco IOS, HP-UX, and so on. Standard operating system tools or EDR can be the event provider. |
vpn |
VPN session events. |
web |
Events coming from WEB applications and Proxy. Application-level HTTP connection events. |
container |
Events providing information about the operation of containers. |