Kaspersky Secure Mail Gateway
Kaspersky Secure Mail Gateway (KSMG) ScanLogic events — anti-virus, anti-spam, anti-phishing, content filtering, mail authentication (SPF/DKIM/DMARC), KATA integration, message backup, and scan failure events in ECS-compatible JSON.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/email-kaspersky-ksmg/generator.yml \
--id email-kaspersky-ksmg \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| av-scan | Anti-Virus scan results (clean, infected, disinfected, encrypted) | 25% | |
| as-scan | Anti-Spam scan results (clean, spam, probable spam, mass mail) | 25% | |
| ap-scan | Anti-Phishing scan results (clean, phishing, malicious links) | 15% | |
| ma-auth | Mail Authentication checks (SPF/DKIM/DMARC) | 15% | |
| cf-filter | Content Filtering (banned files, size violations) | 10% | |
| kt-kata | KATA integration (APT/zero-day detection) | 4% | |
| message-backup | Message quarantine events | 4% | |
| not-processed | Scan failure events (errors, timeouts) | 2% |
Realism Features
- Weighted scan outcomes per module — e.g., AV: 93.5% clean, 3% infected, 1% disinfected, 2% encrypted
- Directional email flow — 72% inbound from external domains, 28% outbound from internal users
- Lognormal message sizes with realistic distribution (500 B to 30 MB)
- Categorized subjects tied to scan type — spam/phishing subjects for AS/AP, business subjects for others
- Threat database with realistic Kaspersky detection names (Trojan, Exploit, Ransomware, Stealer)
- Processing rule engine with weighted rule selection and configurable actions
Sample Output
{
"@timestamp": "2026-03-06T14:22:31.000Z",
"event": {
"kind": "event",
"category": ["email"],
"type": ["info"],
"action": "scan-result",
"outcome": "failure",
"severity": 7,
"reason": "ThreatDetected"
},
"observer": {
"vendor": "Kaspersky",
"product": "Secure Mail Gateway",
"version": "2.0.1.6960",
"hostname": "ksmg-node01",
"ip": ["10.1.0.20"]
},
"email": {
"direction": "inbound",
"from": { "address": ["jdoe@partner-corp.com"] },
"to": { "address": ["d.brown@corp.example.com"] },
"subject": "Updated invoice attached"
},
"kaspersky": {
"ksmg": {
"event_class": "LMS_EV_SCAN_LOGIC_AV_STATUS",
"scan_type": "av",
"status": "Infected",
"action": "Reject",
"threat_name": "HEUR:Trojan.Script.Generic",
"threat_file": "invoice_2024.pdf.exe"
}
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| ksmg_hostname | ksmg-node01 | KSMG gateway hostname |
| ksmg_ip | 10.1.0.20 | KSMG gateway IP address |
| domain | corp.example.com | Organization email domain |
| ksmg_version | 2.0.1.6960 | KSMG software version |
| agent_id | c4d5e6f7-... | Elastic Agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Microsoft Exchange Message Tracking
Exchange Server 2019 message tracking — SMTP receive/send, mailbox delivery, transport routing, shadow redundancy, anti-spam filtering, distribution group expansion, and delivery failure DSNs.
Fortinet FortiMail
FortiMail email security gateway — mail statistics, SMTP protocol events, antispam verdict (clean/spam/phishing), antivirus scanning with quarantine actions, and system administration logs.
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.