Kaspersky Unified Monitoring and Analysis Platform
3.4
English

Contents

KUMA audit events

Audit events are created when certain security-related actions are completed in KUMA. These events are used to ensure system integrity.

To view audit events, go to the Events section in KUMA and add "SELECT * FROM 'events' WHERE Type=4" to the query.

As a result of executing the query, audit events are displayed in the Events section if the user role allows viewing audit events.

In this section

Event fields with general information

User was successfully signed in or failed to sign in

User login successfully changed

User role was successfully changed

Other data of the user was successfully changed

User successfully logged out

User password was successfully changed

User was successfully created

User role was successfully assigned

User role was successfully revoked

The user has successfully edited the set of fields settings to define sources

User access token was successfully changed

Changed the set of spaces to differentiate access to events

Service was successfully created

Service was successfully deleted

Service was successfully reloaded

Service was successfully restarted

Service was successfully started

Service was successfully paired

Service status was changed

Storage partition was deleted by user

Storage partition was deleted automatically due to expiration

Storage partition was deleted automatically or moved due to exceeding the storage capacity.

Active list was successfully cleared or operation failed

Active list item was successfully changed, or operation was unsuccessful

Active list item was successfully deleted or operation was unsuccessful

Active list was successfully imported or operation failed

Active list was exported successfully

Resource was successfully added

Resource was successfully deleted

Resource was successfully updated

Asset was successfully created

Asset was successfully deleted

Asset category was successfully added

Asset category was deleted successfully

Settings were updated successfully

Tenant was successfully created

Tenant was successfully enabled

Tenant was successfully disabled

Other tenant data was successfully changed

Updated data retention policy after changing drives

The dictionary was successfully updated on the service or operation was unsuccessful

Response in Active Directory

Query sent to KIRA

KICS/KATA response

Kaspersky Automated Security Awareness Platform response

KEDR response

Importing MITRE ATT&CK techniques and tactics
Page top
[Topic 217744]

Event fields with general information

Every audit event has the event fields described below.

Event field name

Field value

ID

Unique event ID in the form of an UUID.

Timestamp

Event time.

DeviceHostName

The event source host. For audit events, it is the hostname where kuma-core is installed, because it is the source of events.

DeviceTimeZone

Timezone of the system time of the server hosting the KUMA Core in the format +-hh:mm.

Type

Type of the audit event. For audit event the value is 4.

TenantID

ID of the main tenant.

DeviceVendor

Kaspersky

DeviceProduct

KUMA

EndTime

Event creation time.

Page top
[Topic 217865]

User was successfully signed in or failed to sign in

Event field name

Field value

DeviceAction

user login

EventOutcome

succeeded or failed—the status depends on the success or failure of the operation.

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login.

SourceUserID

User ID.

Message

Description of the error; appears only if an error occurred during login. Otherwise, the field will be empty.

Page top
[Topic 218034]

User login successfully changed

Event field name

Field value

DeviceAction

user login changed

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change data.

SourceUserID

User ID that was used to change data.

DestinationUserName

User login whose data was changed.

DestinationUserID

User ID whose data was changed.

DeviceCustomString1

Current value of the login.

DeviceCustomString1Label

new login

DeviceCustomString2

Value of the login before it was changed.

DeviceCustomString2Label

old login

Page top
[Topic 218028]

User role was successfully changed

Event field name

Field value

DeviceAction

user role changed

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change data.

SourceUserID

User ID that was used to change data.

DestinationUserName

User login whose data was changed.

DestinationUserID

User ID whose data was changed.

DeviceCustomString1

Current value of the role.

DeviceCustomString1Label

new role

DeviceCustomString2

Value of the role before it was changed.

DeviceCustomString2Label

old role

Page top
[Topic 218030]

Other data of the user was successfully changed

Event field name

Field value

DeviceAction

user other info changed

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change data.

SourceUserID

User ID that was used to change data.

DestinationUserName

User login whose data was changed.

DestinationUserID

User ID whose data was changed.

Page top
[Topic 217947]

User successfully logged out

This event appears only when the user pressed the logout button.

This event will not appear if the user is logged out due to the end of the session or if the user logs in again from another browser.

Event field name

Field value

DeviceAction

user logout

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login.

SourceUserID

User ID.

Page top
[Topic 218032]

User password was successfully changed

Event field name

Field value

DeviceAction

user password changed

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change data.

SourceUserID

User ID that was used to change data.

DestinationUserName

User login whose data was changed.

DestinationUserID

User ID whose data was changed.

Page top
[Topic 218029]

User was successfully created

Event field name

Field value

DeviceAction

user created

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to create the user account.

SourceUserID

User ID that was used to create the user account.

DestinationUserName

User login for which the user account was created.

DestinationUserID

User ID for which the user account was created.

DeviceCustomString1

Role of the created user.

DeviceCustomString1Label

role

Page top
[Topic 218033]

User role was successfully assigned

Event field name

Field value

DeviceAction

granted access

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

Login of the user for whom the data changes were made.

SourceUserID

ID of the user for whom the data changes were made.

DestinationUserPrivileges

Role name. Available values: general admin, admin, analyst, operator.

DeviceCustomString5

ID of the tenant used to assign the role.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 241703]

User role was successfully revoked

Event field name

Field value

DeviceAction

revoked access

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

Login of the user who makes the changes.

SourceUserID

ID of the user who makes the changes.

DestinationUserName

Login of the user for whom the changes are made.

DestinationUserID

ID of the user for whom the changes are made.

DestinationUserPrivileges

Role name. Available values: general admin, admin, analyst, operator.

DeviceCustomString5

ID of the tenant used to assign the role.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 241712]

The user has successfully edited the set of fields settings to define sources

Event field name

Field value

DeviceAction

settings updated

DeviceFacility

eventSourceIdentity

EventOutcome

succeeded

SourceUserName

Login of the user who makes the changes.

SourceUserID

ID of the user who makes the changes.

DeviceCustomString5

Updated set of fields, | is used as the delimiter.

Page top
[Topic 276306]

User access token was successfully changed

Event field name

Field value

DeviceAction

user access token changed

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change data.

SourceUserID

User ID that was used to change the data.

DestinationUserName

User login whose data was changed.

DestinationUserID

ID of the user whose data was changed.

Page top
[Topic 218027]

Changed the set of spaces to differentiate access to events

Event field name

Field value

DeviceAction
  • space set was created
  • space set was deleted
  • space set was updated (including granting and revoking access permissions)

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to edit settings.

DeviceCustomString2

ID of the space set.

DeviceCustomString2Label

set ID

DeviceCustomString3

Name of the space set.

DeviceCustomString3Label

set name

Page top
[Topic 294388]

Service was successfully created

Event field name

Field value

DeviceAction

service created

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to create the service.

SourceUserID

User ID that was used to create the service.

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217997]

Service was successfully deleted

Event field name

Field value

DeviceAction

service deleted

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to delete the service.

SourceUserID

User ID that was used to delete the service.

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DestinationAddress

Address of the device that was used to start the service. If the service has never been started before, the field will be empty.

DestinationHostName

The FQDN of the machine that was used to start the service. If the service has never been started before, the field will be empty.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217998]

Service was successfully reloaded

Event field name

Field value

DeviceAction

service reloaded

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to reset the service.

SourceUserID

User ID that was used to restart the service.

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 218000]

Service was successfully restarted

Event field name

Field value

DeviceAction

service restarted

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to restart the service.

SourceUserID

User ID that was used to restart the service.

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 218001]

Service was successfully started

Event field name

Field value

DeviceAction

service started

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

Address that reported information about service start. It may be a proxy address if the information passed through a proxy.

SourcePort

Port that reported information about service start. It may be a proxy port if the information passed through a proxy.

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DestinationAddress

Address of the device where the service was started.

DestinationHostName

FQDN of the device where the service was started.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 218002]

Service was successfully paired

Event field name

Field value

DeviceAction

service paired

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

Address that sent a service pairing request. It may be a proxy address if the request passed through a proxy.

SourcePort

Port that sent a service pairing request. It may be a proxy port if the request passed through a proxy.

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217999]

Service status was changed

Event field name

Field value

DeviceAction

service status changed

DeviceExternalID

Service ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DestinationAddress

Address of the device where the service was started.

DestinationHostName

FQDN of the device where the service was started.

DeviceCustomString1

green, yellow, or red

DeviceCustomString1Label

new status

DeviceCustomString2

green, yellow, or red

DeviceCustomString2Label

old status

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217996]

Storage partition was deleted by user

Event field name

Field value

DeviceAction

partition deleted

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to delete partition.

SourceUserID

User ID that was used to delete partition.

Name

Storage name | Tenant of the partition being moved or deleted | Name of the space to which the partition belongs.

Message

deleted by user

Page top
[Topic 218012]

Storage partition was deleted automatically due to expiration

Event field name

Field value

DeviceAction

applied retention policy by days.

EventOutcome

succeeded or failed

Name

Storage name | Tenant of the partition being moved or deleted | Name of the space to which the partition belongs.

DeviceCustomDate1

Partition creation date.

DeviceCustomDate1Label

date of partition

SourceServiceName

scheduler

DeviceCustomString1

Node ID.

DeviceCustomString1Label

nodeID

Message

If moved:

  • If EventOutcome = succeeded, the moved partition data to cold storage message is displayed.
  • If EventOutcome = failed, the move partition data to cold storage failed: error description> error message is displayed.

If deleted:

  • If EventOutcome = succeeded , the deleted partition data message is displayed.
  • If EventOutcome = failed, the delete partition data failed: error description> error message is displayed.

DeviceCustomNumber1

Storage partition size in bytes.

DeviceCustomNumber1Label

size

DeviceCustomNumber2

Number of events in the storage partition.

DeviceCustomNumber2Label

events

Page top
[Topic 218014]

Storage partition was deleted automatically or moved due to exceeding the storage capacity.

In KUMA, you can set a condition for storage partitions to have the disk partition automatically moved or deleted if the configured maximum size of such a partition is reached or exceeded. The maximum storage capacity can be configured in one of the following ways:

  • Specify a percentage of the entire disk partition where the storage is installed.
  • Set the size of the disk partition in GB.

If the condition is checked and it is found that the size of the storage is equal to or greater than the configured size in percent or GB, an audit event is generated and the storage partition is moved or deleted.

Event field name

Field value

DeviceAction

If the storage partition size is specified as a percentage of the disk size, the value is applied retention policy by percent.

If the storage partition size is specified in GB, the value is applied retention policy by GB.

EventOutcome

succeeded or failed

Name

Storage name | Tenant of the partition being moved or deleted | Name of the space to which the partition belongs.

DeviceCustomDate1

Partition creation date.

DeviceCustomDate1Label

date of partition

SourceServiceName

scheduler

DeviceCustomString1

Node ID.

DeviceCustomString1Label

nodeID

Message

If moved:

  • If EventOutcome = succeeded, the moved partition data to cold storage message is displayed.
  • If EventOutcome = failed, the move partition data to cold storage failed: error description> error message is displayed.

If deleted:

  • If EventOutcome = succeeded , the deleted partition data message is displayed.
  • If EventOutcome = failed, the delete partition data failed: error description> error message is displayed.

DeviceCustomNumber1

Storage partition size in bytes.

DeviceCustomNumber1Label

size

DeviceCustomNumber2

Number of events in the storage partition.

DeviceCustomNumber2Label

events

Page top
[Topic 300065]

Active list was successfully cleared or operation failed

Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.

If an active list is modified using a correlation rule of the simple type, in which the Output and Loop actions are defined, an active list modification alert will be created each time the rule is triggered.

The event can be assigned the succeeded or failed status.

Since the request to clear an active list is made over a remote connection, a data transfer error may occur at any moment: both before and after deletion.

This means that the active list may be cleared successfully, but the event is assigned the failed status, because EventOutcome returns the TCP/IP connection status of the request, but not the succeeded or failed status of the active list clearing.

Event field name

Field value

DeviceAction

active list cleared

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to clear the active list.

SourceUserID

User ID that was used to clear the active list.

DeviceExternalID

Service ID whose active list was cleared.

ExternalID

Active list ID.

Name

Active list name.

Message

If EventOutcome = failed, an error message can be found here.

DeviceCustomString5

Service tenant ID. Some errors prevent adding tenant information to the event.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217705]

Active list item was successfully changed, or operation was unsuccessful

Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.

If an active list is modified using a correlation rule of the simple type, in which the Output and Loop actions are defined, an active list modification alert will be created each time the rule is triggered.

The event can be assigned the succeeded or failed status.

Since the request to change an active list item is made over a remote connection, a data transfer error may occur at any moment: both before and after the change.

This means that the active list item may be changed successfully, but the event is assigned the failed status, because EventOutcome returns the TCP/IP connection status of the request, but not the succeeded or failed status of the active list item change.

Event field name

Field value

DeviceAction

active list item changed

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login used to change the active list item.

SourceUserID

User ID used to change the active list item.

DeviceExternalID

Service ID for which the active list is changed.

ExternalID

Active list ID.

Name

Active list name.

DeviceCustomString1

Key name.

DeviceCustomString1Label

key

Message

If EventOutcome = failed, an error message can be found here.

DeviceCustomString5

Service tenant ID. Some errors prevent adding tenant information to the event.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name

DeviceCustomString6Label

tenant name

Page top
[Topic 241746]

Active list item was successfully deleted or operation was unsuccessful

Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.

If an active list is modified using a correlation rule of the simple type, in which the Output and Loop actions are defined, an active list modification alert will be created each time the rule is triggered.

The event can be assigned the succeeded or failed status.

Since the request to delete an active list item is made over a remote connection, a data transfer error may occur at any moment: both before and after deletion.

This means that the active list item may be deleted successfully, but the event is assigned the failed status, because EventOutcome returns the TCP/IP connection status of the request, but not the succeeded or failed status of the active list item deletion.

Event field name

Field value

DeviceAction

active list item deleted

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to delete the item from the active list.

SourceUserID

User ID that was used to delete the item from the active list.

DeviceExternalID

Service ID whose active list was cleared.

ExternalID

Active list ID.

Name

Active list name.

DeviceCustomString1

Key name.

DeviceCustomString1Label

key

Message

If EventOutcome = failed, an error message can be found here.

DeviceCustomString5

Service tenant ID. Some errors prevent adding tenant information to the event.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217703]

Active list was successfully imported or operation failed

Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.

If an active list is modified using a correlation rule of the simple type, in which the Output and Loop actions are defined, an active list modification alert will be created each time the rule is triggered.

Active list items are imported in parts via a remote connection.

Since the import is performed via a remote connection, a data transfer error can occur at any time: when the data is imported partially or completely. EventOutcome returns the connection status, not the import status.

Event field name

Field value

DeviceAction

active list imported

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to perform the import.

SourceUserID

User ID that was used to perform the import.

DeviceExternalID

Service ID for which an import was performed.

ExternalID

Active list ID.

Name

Active list name.

Message

If EventOutcome = failed, an error message can be found here.

DeviceCustomString5

Service tenant ID. Some errors prevent adding tenant information to the event.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name

DeviceCustomString6Label

tenant name

Page top
[Topic 217706]

Active list was exported successfully

Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.

If an active list is modified using a correlation rule of the simple type, in which the Output and Loop actions are defined, an active list modification alert will be created each time the rule is triggered.

Event field name

Field value

DeviceAction

active list exported

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to perform the export.

SourceUserID

User ID that was used to perform the export.

DeviceExternalID

Service ID for which an export was performed.

ExternalID

Active list ID.

Name

Active list name.

DeviceCustomString5

Service tenant ID. Some errors prevent adding tenant information to the event.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name

DeviceCustomString6Label

tenant name

Page top
[Topic 217704]

Resource was successfully added

Event field name

Field value

DeviceAction

resource added

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to add the resource.

SourceUserID

User ID that was used to add the resource.

DeviceExternalID

Resource ID.

DeviceProcessName

Resource name.

DeviceFacility

Resource type:

  • activeList
  • agent
  • aggregationRule
  • collector
  • connection
  • connector
  • correlationRule
  • correlator
  • destination
  • dictionary
  • enrichmentRule
  • filter
  • normalizer
  • proxy
  • responseRule
  • storage

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217968]

Resource was successfully deleted

Event field name

Field value

DeviceAction

resource deleted

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to delete the resource.

SourceUserID

User ID that was used to delete the resource.

DeviceExternalID

Resource ID.

DeviceProcessName

Resource name.

DeviceFacility

Resource type:

  • activeList
  • agent
  • aggregationRule
  • collector
  • connection
  • connector
  • correlationRule
  • correlator
  • destination
  • dictionary
  • enrichmentRule
  • filter
  • normalizer
  • proxy
  • responseRule
  • storage

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217969]

Resource was successfully updated

Event field name

Field value

DeviceAction

resource updated

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to update the resource.

SourceUserID

User ID that was used to update the resource.

DeviceExternalID

Resource ID.

DeviceProcessName

Resource name.

DeviceFacility

Resource type:

  • activeList
  • agent
  • aggregationRule
  • collector
  • connection
  • connector
  • correlationRule
  • correlator
  • destination
  • dictionary
  • enrichmentRule
  • filter
  • normalizer
  • proxy
  • responseRule
  • storage

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217970]

Asset was successfully created

Event field name

Field value

DeviceAction

asset created

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to add the asset.

SourceUserID

User ID that was used to add the asset.

DeviceAssetID

Asset ID.

SourceHostName

Asset ID.

Name

Asset name.

DeviceCustomString1

Comma-separated IP addresses of the asset.

DeviceCustomString1Label

addresses

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217742]

Asset was successfully deleted

Event field name

Field value

DeviceAction

asset deleted

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to add the asset.

SourceUserID

User ID that was used to add the asset.

DeviceAssetID

Asset ID.

SourceHostName

Asset ID.

Name

Asset name.

DeviceCustomString1

Comma-separated IP addresses of the asset.

DeviceCustomString1Label

addresses

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217741]

Asset category was successfully added

Event field name

Field value

DeviceAction

category created

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to add the category.

SourceUserID

User ID that was used to add the category.

DeviceExternalID

Category ID.

Name

Category name.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217740]

Asset category was deleted successfully

Event field name

Field value

DeviceAction

category deleted

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to delete the category.

SourceUserID

User ID that was used to delete the category.

DeviceExternalID

Category ID.

Name

Category name.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 217739]

Settings were updated successfully

Event field name

Field value

DeviceAction

settings updated

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to update the settings.

SourceUserID

User ID that was used to update the settings.

DeviceFacility

Type of settings.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 218005]

Tenant was successfully created

Event field name

Field value

DeviceAction

tenant created

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login used to create the tenant.

SourceUserID

User ID used to create the tenant.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 241753]

Tenant was successfully enabled

Event field name

Field value

DeviceAction

tenant enabled

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login used to enable the tenant.

SourceUserID

User ID used to enable the tenant.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 241764]

Tenant was successfully disabled

Event field name

Field value

DeviceAction

tenant disabled

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login used to disable the tenant.

SourceUserID

User ID used to disable the tenant.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 241766]

Other tenant data was successfully changed

Event field name

Field value

DeviceAction

tenant other info changed

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change the tenant data.

SourceUserID

User ID that was used to change the tenant data.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 241767]

Updated data retention policy after changing drives

Event field name

Field value

DeviceAction

storage policy modified

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change the tenant data.

SourceUserID

User ID that was used to change the tenant data.

Page top
[Topic 241770]

The dictionary was successfully updated on the service or operation was unsuccessful

Event field name

Field value

DeviceAction

service created

EventOutcome

succeeded

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to create the service.

SourceUserID

User ID that was used to create the service.

DeviceExternalID

Service ID.

ExternalID

Dictionary ID.

DeviceProcessName

Service name.

DeviceFacility

Service type.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Message

If EventOutcome = failed, an error message can be found here.

Page top
[Topic 241769]

Response in Active Directory

Event field name

Field value

DeviceAction

ad response

DeviceFacility

manual response or automatic response

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to change the tenant data.

SourceUserID

User ID that was used to change the tenant data.

DeviceCustomString3

Response rule name: CHANGE_PASSWORD, ADD_TO_GROUP, REMOVE_FROM_GROUP, BLOCK_USER.

DeviceCustomString3Label

response rule name

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

DestinationUserName

The Active Directory user account to which the response is invoked (sAMAccountName).

DestinationNtDomain

Domain of the Active Directory user account to which the response is invoked.

DestinationUserID

Account UUID in KUMA.

FlexString1

Information about the group where the user was added or deleted.

FlexString1Label

group DN

Page top
[Topic 241775]

Request sent to KIRA

Event field name

Field value

DeviceAction

KIRA task

EventOutcome

succeeded/failed

SourceUserName

User login used to send the request.

SourceUserID

User ID used to send the request.

DeviceCustomString1

The resulting string that was sent.

DeviceCustomString1Label

cmd

DeviceCustomString2

ID of the event from which the request was sent.

DeviceCustomString2Label

event

DeviceCustomString3

ID of the task created to send the request.

DeviceCustomString3Label

task

Page top
[Topic 294917]

KICS/KATA response

Event field name

Field value

DeviceAction

KICS response

DeviceFacility

manual response or automatic response

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

Login of the user who sent the request.

SourceUserID

ID of the user who sent the request.

DeviceCustomString3

Response rule name: Authorized, Not Authorized.

DeviceCustomString3Label

response rule name

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

DeviceAssetID

Asset ID.

SourceHostName

Asset FQDN.

Name

Asset name.

DeviceCustomString1

List of IP addresses for the asset.

DeviceCustomString1Label

addresses

Page top
[Topic 245019]

Kaspersky Automated Security Awareness Platform response

Event field name

Field value

DeviceAction

KASAP response

DeviceFacility

manual response

EventOutcome

succeeded or failed

Message

Description of the error, if an error occurred, otherwise the field is empty.

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

Login of the user who sent the request.

SourceUserID

ID of the user who sent the request.

DeviceCustomString1

The manager of the user to whom the course is assigned.

DeviceCustomString1Label

manager

DeviceCustomString3

Information about the group where the user belonged. Not available for failed.

DeviceCustomString3Label

manager

DeviceCustomString4

Information about the group where the user was added.

DeviceCustomString4Label

new kasap group

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

DestinationUserID

ID of the Active Directory user account which causes the response.

DestinationUserName

Account name (sAMAccountName).

DestinationNtDomain

Domain of the Active Directory user account which causes the response.

Page top
[Topic 245020]

KEDR response

Event field name

Field value

DeviceAction

KEDR response

DeviceFacility

manual response or automatic response

EventOutcome

succeeded or failed

Message

Description of the error, if an error occurred, otherwise the field is empty.

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

Login of the user who sent the request.

SourceUserID

ID of the user who sent the request.

SourceAssetID

KUMA asset ID which causes the response. The value is not specified if the response is based on a hash or for all assets.

DeviceExternalID

The external ID assigned to KUMA in KEDR. If there is only one external ID, it is not filled in when started on user hosts.

DeviceCustomString1

List of IP/FQDN addresses of the asset for the host prevention rule based on the selected hash from the event card.

DeviceCustomString1Label

user defined list of ips or hostnames

DeviceCustomString2

Sensor ID parameter in KEDR (UUIDv4 | 'all' | 'custom').

DeviceCustomString2Label

sensor id of asset in KATA/EDR

ServiceID

ID of the service that caused the response. Filled in only in case of automatic response.

DeviceCustomString3

Task type name: enable_network_isolation, disable_network_isolation, enable_prevention, disable_prevention, run_process.

DeviceCustomString3Label

kedr response kind

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top
[Topic 245021]