Support

Support for business applications

Kaspersky Anti Targeted Attack (KATA) Platform

For administrators: Getting started with the application web interface

Configuring integration with an SIEM system

Content and properties of syslog messages about alerts

Kaspersky Anti Targeted Attack (KATA) Platform
Нет результатов
Knowledge Base Online Help
FAQ Download Forum Contact support Recovery tools

Content and properties of syslog messages about alerts

8 November 2023

ID 247573

Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.

The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.

The header of each syslog message about an alert contains the following information:

  • Format version.

    Current version number: 0. Current field value: CEF:0.

  • Vendor.

    Current field value: AO Kaspersky Lab.

  • Application name.

    Current field value: Kaspersky Anti Targeted Attack Platform.

  • Application version

    The current field value is 5.1.0-6596.

  • Alert type.

    See the table below.

  • Event name.

    See the table below.

  • Alert importance.

    Allowed field values: Low, Medium, High or 0 (for heartbeat messages).

  • Additional information.

    Example:

    CEF:0|AO Kaspersky Lab| Kaspersky Anti Targeted Attack Platform |5.1.0-6596|url_web| URL from web detected|Low|

The body of a syslog message about an alert matches the information about the alert that is displayed in the application web interface. All fields are presented in the "<key>=<value>" format. Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.

The keys, as well as their values contained in a message, are presented in the table below.

Information about an alert in syslog messages

Alert type

Alert name and description

Key and description of its value

file_web

File from web detected

A file was detected in network traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • app = <name of the application-level protocol> (HTTP(S) or FTP).
  • requestMethod = <HTTP request method> (only for the HTTP(S) protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP(S) protocol).
  • request = <URL of the detected object> (only for the HTTP(S) protocol).
  • requestContext = <HTTP Referer header> (only for the HTTP(S) protocol).

file_mail

File from mail detected

A file was detected in mail traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • KasperskyLabKATAmailEnvelopeFrom = <sender email address> (from the Received header).
  • KasperskyLabKATAmailFor = <recipient email address> (from the Received header).
  • KasperskyLabKATAmailRecievedFromIp = <IP address of the first server in the message delivery chain> (from the Received header).
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • externalId = <Email message ID>.
  • suser = <email address of sender>.
  • duser = <email addresses of recipients>.
  • msg = <message subject>.

ids

IDS event detected

An alert was generated by the Intrusion Detection System module.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • requestMethod = <HTTP request method> (only for the HTTP(S) protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP(S) protocol).
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • proto = <name of the network-level protocol> (TCP or UDP).
  • cs1 = <type of the detected object according to the Kaspersky Lab classification>.
  • cs2Label = <name of the IDS rule>.
  • cs2 = <number of the IDS rule>.
  • cs3 = <Intrusion Detection System module database version>.
  • requestMethod = <HTTP request method> (only for the HTTP protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP protocol).
  • request = <URL of the detected object>.

url_web

URL from web detected

An alert was generated by URL Reputation technology or Sandbox in network traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • cs1 = <list of categories to which the URL of the detected object belongs>.
  • requestMethod = <HTTP request method>.
  • requestClientApplication = <User Agent of the client computer>.
  • request = <URL of the detected object>.
  • requestContext = <HTTP Referer header>.
  • reason = <HTTP response code>.

url_mail

URL from mail detected

An alert was generated by URL Reputation technology or Sandbox in mail traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • externalId = <Email message ID>.
  • suser = <email address of sender>.
  • duser = <email addresses of recipients>.
  • KasperskyLabKATAmailEnvelopeFrom = <sender email address> (from the Received header).
  • KasperskyLabKATAmailFor = <recipient address> (from the Received header).
  • KasperskyLabKATAmailRecievedFromIp = <IP address of the first server in the message delivery chain> (from the Received header).
  • msg = <message subject>.
  • request = <URL of the detected object>.
  • cs2 = <technology that was used to generate the alert> (Sandbox or URL Reputation).
  • cs3Label = <name of the virtual machine on which the file was detected> (only for Sandbox).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification> (for the Sandbox component) or <list of categories> (for URL Reputation).
  • cs3 = <version of databases used to scan the file> (only for Sandbox).

dns

DNS request detected

An alert was generated by URL Reputation technology in DNS traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • cs2 = <list of URL categories to which the domain names belong>.
  • requestMethod = <type of DNS message> (request or response).
  • flexString1 = <type of record from the DNS request>.
  • dhost = <host name from the DNS request>.
  • cs1 = <list of domain names from the DNS response>.

file_endpoint

File from endpoint detected

The alert was generated by the Endpoint Agent component on the user's computer and contains a file.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the file was detected>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • app = <name of the application-level protocol> (HTTP(S) or FTP).
  • FilePath = <path to the file on the computer with the Endpoint Sensors component>.

iocScanning

IOC has tripped on endpoint

The alert was generated while carrying out an IOC scan of hosts with the Endpoint Agent component for Windows.

This type of alert is available if you are using KEDR functionality.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the file was detected>.
  • cs1 = <name of the IOC file by which the alert was generated>.

taaScanning

TAA has tripped on events database

Alert resulting from the IOA analysis of events.

This type of alert is available if you are using KEDR functionality.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • shost = <name of the host on which the alert was generated>.
  • cs1 = <name of the IOA rule by which the alert was generated>.

yaraScanningEP

YARA has tripped on endpoint

The alert was generated while carrying out a YARA scan of hosts with the Endpoint Agent component for Windows.

This type of alert is available if you are using KEDR functionality.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost= <name of the host on which the alert was generated>.
  • cs1 = <name of the YARA rule by which the alert was generated>.

heartbeat

Periodic message containing the state of components.
  • dvchost = <name of server with the Central Node component>.
  • rt = <event date and time>.
  • KasperskyLabKATAcomponentName = <name of the component>.
  • KasperskyLabKATAcomponentState = <status of the component> (0 – OK, >0 – Error).

Kaspersky Professional Services
Implementation services. Health check and security system configuration. Contact us if you need expert help.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.