cef0.kaspersky
Introduction
The tables cef0.kaspersky.* identify events in CEF format generated by Kaspersky services.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
Tag | Data table |
---|---|
cef0.kaspersky.kaspersky | cef0.kaspersky.kaspersky |
cef0.kasperskylab.securitycenter | cef0.kasperskylab.securitycenter |
cef0.kaspersky.securityCenter | cef0.kaspersky.securityCenter |
cef0.kaspersky.securityCenterNetworkAgent | cef0.kaspersky.securityCenterNetworkAgent |
cef0.kaspersky.kasperskyAntivirusForWindowsServersEnterpriseEdition | cef0.kaspersky.kasperskyAntivirusForWindowsServersEnterpriseEdition |
cef0.kaspersky.kasperskyEndpointSecurityForWindows | cef0.kaspersky.kasperskyEndpointSecurityForWindows |
How is the data sent to Devo?
Logs must be sent to the Devo platform via the Devo Relay to secure communication.
Log samples
The following are sample logs sent to some of the cef0.kaspersky tables. Find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
This is a sample log sent to the cef0.kaspersky.kasperskyEndpointSecurityForWindows table.
2021-10-22 13:12:19.014 localhost=127.0.0.1 14 CEF: 0|Kaspersky|Kaspersky Endpoint Security for Windows|10.2.5.3201|GNRL_EV_SUSPICIOUS_OBJECT_FOUND|Probably infected object detected|Very-High| eventId=168010884486 externalId=1907735613 msg=Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll end=1580911748790 mrt=1580915351800 in=-2147483648 out=-2147483648 customerID=S9PNelm0BABCAMelA0phEAQ||=||= customerURI=/All Customers/user/user catdt=Anti-Virus modelConfidence=0 severity=0 relevance=10 assetCriticality=0 priority=8 art=1580915351337 cat=File Anti-Virus deviceSeverity=Critical act=Detected rt=1580911747000 dhost=PICKERCOR3 dst=172.16.8.143 destinationZoneID=Mbp432AABABCDUVpYAT3UdQ||=||= destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 destinationZoneExternalID=RFC1918: 172.16.0.0-172.31.255.255 dntdom=2 dlong=0.0 dlat=0.0 fname=C:||||windows||||dwrcs||||dwrcset.dll cs1=not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator) cs6=Coruna flexString1=GNRL_EV_SUSPICIOUS_OBJECT_FOUND||=||=>Result: Detected: not-a-virus:HEUR:RemoteAdmin.Win32.DameWare.gen||r||nUser: HRIVERA||||PICKERCOR3$ (Initiator)||r||nObject: C:||||windows||||dwrcs||||dwrcset.dll||r||n cn3=362 locality=1 cs1Label=Virus Name cs2Label=Object cs3Label=Component cs4Label=Object Type cs5Label=Rule cs6Label=Group Name cn3Label=Session Number ahost=madame.es.company.com agt=10.74.181.57 amac=30-E1-71-63-87-14 av=7.9.0.8087.0 atz=UTC at=superagent_ng dvchost=SQLTI dtz=Europe/Paris eventAnnotationStageUpdateTime=1580915351843 eventAnnotationModificationTime=1580915351843 eventAnnotationAuditTrail=1,1580703964604,root,Queued,,,,||n eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1580911748790 eventAnnotationManagerReceiptTime=1580915351800 originalAgentHostName=siem.hrivera.net originalAgentAddress=10.69.34.64 originalAgentMacAddress=00-50-56-9E-CB-79 originalAgentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 originalAgentVersion=7.13.0.8178.0 originalAgentId=3Skeasm4BABDKdXpthKr1lA||=||= originalAgentType=kaspersky_db _cefVer=0.1 ad.arcSightEventPath=3Skeasm4BABDKdXpthKr1lA||=||= aid=39FUBsW0BABCAAyIH2ffp4g||=||=
Field | Value | Type | Source field name | Extra field |
---|---|---|---|---|
eventdate |
|
| ||
hostname |
|
| ||
priorityCode |
|
| ||
cefTag |
|
| ||
cefVersion |
|
| ||
embDeviceVendor |
|
| ||
embDeviceProduct |
|
| ||
deviceVersion |
|
| ||
signatureID |
|
| ||
name |
|
| ||
severity |
|
| ||
_cefVer |
|
| ||
dntdom |
|
| ||
cs3Label |
|
| ||
msg |
|
| ||
dvchost |
|
| ||
cs4Label |
|
| ||
cs1 |
|
| ||
dst |
|
| ||
externalId |
|
| ||
cn3Label |
|
| ||
cat |
|
| ||
cs6 |
|
| ||
rt |
|
| ||
end |
|
| ||
fname |
|
| ||
out |
|
| ||
cs2Label |
|
| ||
cs5Label |
|
| ||
dhost |
|
| ||
act |
|
| ||
in |
| |||
cs6Label |
|
| ||
cn3 |
|
| ||
cs1Label |
|
| ||
dtz |
|
| ||
eventAnnotationAuditTrail |
|
| ||
eventAnnotationVersion |
|
| ||
eventAnnotationModificationTime |
|
| ||
art |
|
| ||
originalAgentAddress |
|
| ||
eventId |
|
| ||
at |
|
| ||
mrt |
|
| ||
customerURI |
|
| ||
dlat |
|
| ||
originalAgentZoneURI |
|
| ||
destinationZoneID |
|
| ||
assetCriticality |
|
| ||
eventAnnotationFlags |
|
| ||
agt |
|
| ||
modelConfidence |
|
| ||
aid |
|
| ||
amac |
|
| ||
Severity |
|
| ||
destinationZoneExternalID |
|
| ||
relevance |
|
| ||
av |
|
| ||
eventAnnotationStageUpdateTime |
|
| ||
catdt |
|
| ||
locality |
|
| ||
ahost |
|
| ||
originalAgentVersion |
|
| ||
customerID |
|
| ||
dlong |
|
| ||
atz |
|
| ||
originalAgentMacAddress |
|
| ||
originalAgentType |
|
| ||
deviceSeverity |
|
| ||
flexString1 |
|
| ||
originalAgentId |
|
| ||
eventAnnotationManagerReceiptTime |
|
| ||
originalAgentHostName |
|
| ||
priority |
|
| ||
eventAnnotationEndTime |
|
| ||
destinationZoneURI |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
| cefTag | ✓ |
rawMessage |
|
| ✓ |