Document toolboxDocument toolbox

cef0.kaspersky

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
2 min read

Introduction

The tables cef0.kaspersky.* identify events in CEF format generated by Kaspersky services.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tag

Data table

cef0.kaspersky.kaspersky

cef0.kaspersky.kaspersky

cef0.kasperskylab.securitycenter

cef0.kasperskylab.securitycenter

cef0.kaspersky.securityCenter

cef0.kaspersky.securityCenter

cef0.kaspersky.securityCenterNetworkAgent

cef0.kaspersky.securityCenterNetworkAgent

cef0.kaspersky.kasperskyAntivirusForWindowsServersEnterpriseEdition

cef0.kaspersky.kasperskyAntivirusForWindowsServersEnterpriseEdition

cef0.kaspersky.kasperskyEndpointSecurityForWindows

cef0.kaspersky.kasperskyEndpointSecurityForWindows

How is the data sent to Devo?

Logs must be sent to the Devo platform via the Devo Relay to secure communication. 

Log samples

The following are sample logs sent to some of the cef0.kaspersky tables. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

This is a sample log sent to the cef0.kaspersky.kasperskyEndpointSecurityForWindows table.

2021-10-22 13:12:19.014 localhost=127.0.0.1 14 CEF: 0|Kaspersky|Kaspersky Endpoint Security for Windows|10.2.5.3201|GNRL_EV_SUSPICIOUS_OBJECT_FOUND|Probably infected object detected|Very-High| eventId=168010884486 externalId=1907735613 msg=Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll end=1580911748790 mrt=1580915351800 in=-2147483648 out=-2147483648 customerID=S9PNelm0BABCAMelA0phEAQ||=||= customerURI=/All Customers/user/user catdt=Anti-Virus modelConfidence=0 severity=0 relevance=10 assetCriticality=0 priority=8 art=1580915351337 cat=File Anti-Virus deviceSeverity=Critical act=Detected rt=1580911747000 dhost=PICKERCOR3 dst=172.16.8.143 destinationZoneID=Mbp432AABABCDUVpYAT3UdQ||=||= destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 destinationZoneExternalID=RFC1918: 172.16.0.0-172.31.255.255 dntdom=2 dlong=0.0 dlat=0.0 fname=C:||||windows||||dwrcs||||dwrcset.dll cs1=not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator) cs6=Coruna flexString1=GNRL_EV_SUSPICIOUS_OBJECT_FOUND||=||=>Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll||r||n cn3=362 locality=1 cs1Label=Virus Name cs2Label=Object cs3Label=Component cs4Label=Object Type cs5Label=Rule cs6Label=Group Name cn3Label=Session Number ahost=madame.es.company.com agt=10.74.181.57 amac=30-E1-71-63-87-14 av=7.9.0.8087.0 atz=UTC at=superagent_ng dvchost=SQLTI dtz=Europe/Paris eventAnnotationStageUpdateTime=1580915351843 eventAnnotationModificationTime=1580915351843 eventAnnotationAuditTrail=1,1580703964604,root,Queued,,,,||n eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1580911748790 eventAnnotationManagerReceiptTime=1580915351800 originalAgentHostName=siem.hrivera.net originalAgentAddress=10.69.34.64 originalAgentMacAddress=00-50-56-9E-CB-79 originalAgentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 originalAgentVersion=7.13.0.8178.0 originalAgentId=3Skeasm4BABDKdXpthKr1lA||=||= originalAgentType=kaspersky_db _cefVer=0.1 ad.arcSightEventPath=3Skeasm4BABDKdXpthKr1lA||=||= aid=39FUBsW0BABCAAyIH2ffp4g||=||=

Field

Value

Type

Source field name

Extra field

eventdate

2021-10-22 13:12:19.014

timestamp



hostname

localhost

str



priorityCode

14

str



cefTag

CEF

str



cefVersion

0

str



embDeviceVendor

Kaspersky

str



embDeviceProduct

Kaspersky Endpoint Security for Windows

str



deviceVersion

10.2.5.3201

str



signatureID

GNRL_EV_SUSPICIOUS_OBJECT_FOUND

str



name

Probably infected object detected

str



severity

Very-High

str



_cefVer

0.1

str



dntdom

2

str



cs3Label

Component

str



msg

Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll

str



dvchost

SQLTI

str



cs4Label

Object Type

str



cs1

not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)

str



dst

172.16.8.143

ip4



externalId

1907735613

int8



cn3Label

Session Number

str



cat

File Anti-Virus

str



cs6

Coruna

str



rt

2020-02-05 14:09:07.0

timestamp



end

2020-02-05 14:09:08.79

timestamp



fname

C:||||windows||||dwrcs||||dwrcset.dll

str



out

-2147483648

int8



cs2Label

Object

str



cs5Label

Rule

str



dhost

PICKERCOR3

str



act

Detected

str



in


int8



cs6Label

Group Name

str



cn3

362

int8



cs1Label

Virus Name

str



dtz

Europe/Paris

str



eventAnnotationAuditTrail

1,1580703964604,root,Queued,,,,||n

str



eventAnnotationVersion

1

str



eventAnnotationModificationTime

1580915351843

str



art

1580915351337

str



originalAgentAddress

10.69.34.64

str



eventId

168010884486

str



at

superagent_ng

str



mrt

1580915351800

str



customerURI

/All Customers/user/user

str



dlat

0.0

str



originalAgentZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255

str



destinationZoneID

Mbp432AABABCDUVpYAT3UdQ||=||=

str



assetCriticality

0

str



eventAnnotationFlags

0

str



agt

10.74.181.57

str



modelConfidence

0

str



aid

39FUBsW0BABCAAyIH2ffp4g||=||=

str



amac

30-E1-71-63-87-14

str



Severity

0

str



destinationZoneExternalID

RFC1918: 172.16.0.0-172.31.255.255

str



relevance

10

str



av

7.9.0.8087.0

str



eventAnnotationStageUpdateTime

1580915351843

str



catdt

Anti-Virus

str



locality

1

str



ahost

madame.es.company.com

str



originalAgentVersion

7.13.0.8178.0

str



customerID

S9PNelm0BABCAMelA0phEAQ||=||=

str



dlong

0.0

str



atz

UTC

str



originalAgentMacAddress

00-50-56-9E-CB-79

str



originalAgentType

kaspersky_db

str



deviceSeverity

Critical

str



flexString1

GNRL_EV_SUSPICIOUS_OBJECT_FOUND||=||=>Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll||r||n

str



originalAgentId

3Skeasm4BABDKdXpthKr1lA||=||=

str



eventAnnotationManagerReceiptTime

1580915351800

str



originalAgentHostName

siem.hrivera.net

str



priority

8

str



eventAnnotationEndTime

1580911748790

str



destinationZoneURI

/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255

str



hostchain

localhost=127.0.0.1

str


tag

CEF

str

cefTag

rawMessage

CEF: 0|Kaspersky|Kaspersky Endpoint Security for Windows|10.2.5.3201|GNRL_EV_SUSPICIOUS_OBJECT_FOUND|Probably infected object detected|Very-High| eventId=168010884486 externalId=1907735613 msg=Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll end=1580911748790 mrt=1580915351800 in=-2147483648 out=-2147483648 customerID=S9PNelm0BABCAMelA0phEAQ||=||= customerURI=/All Customers/user/user catdt=Anti-Virus modelConfidence=0 severity=0 relevance=10 assetCriticality=0 priority=8 art=1580915351337 cat=File Anti-Virus deviceSeverity=Critical act=Detected rt=1580911747000 dhost=PICKERCOR3 dst=172.16.8.143 destinationZoneID=Mbp432AABABCDUVpYAT3UdQ||=||= destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 destinationZoneExternalID=RFC1918: 172.16.0.0-172.31.255.255 dntdom=2 dlong=0.0 dlat=0.0 fname=C:||||windows||||dwrcs||||dwrcset.dll cs1=not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator) cs6=Coruna flexString1=GNRL_EV_SUSPICIOUS_OBJECT_FOUND||=||=>Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll||r||n cn3=362 locality=1 cs1Label=Virus Name cs2Label=Object cs3Label=Component cs4Label=Object Type cs5Label=Rule cs6Label=Group Name cn3Label=Session Number ahost=madame.es.company.com agt=10.74.181.57 amac=30-E1-71-63-87-14 av=7.9.0.8087.0 atz=UTC at=superagent_ng dvchost=SQLTI dtz=Europe/Paris eventAnnotationStageUpdateTime=1580915351843 eventAnnotationModificationTime=1580915351843 eventAnnotationAuditTrail=1,1580703964604,root,Queued,,,,||n eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1580911748790 eventAnnotationManagerReceiptTime=1580915351800 originalAgentHostName=siem.hrivera.net originalAgentAddress=10.69.34.64 originalAgentMacAddress=00-50-56-9E-CB-79 originalAgentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 originalAgentVersion=7.13.0.8178.0 originalAgentId=3Skeasm4BABDKdXpthKr1lA||=||= originalAgentType=kaspersky_db _cefVer=0.1 ad.arcSightEventPath=3Skeasm4BABDKdXpthKr1lA||=||= aid=39FUBsW0BABCAAyIH2ffp4g||=||=

str