Security

Kaspersky Anti Targeted Attack

Kaspersky Anti Targeted Attack Platform (KATA) events — network-level threat detection appliance logs covering file analysis from web and mail traffic, endpoint file submissions, IDS alerts, URL reputation verdicts, DNS query inspection, IOC scanning results, TAA (Targeted Attack Analyzer) detections, and sensor heartbeat status in ECS-compatible JSON format.

View on GitHub

Quick Start

uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
  --path generators/security-kaspersky-kata/generator.yml \
  --id security-kaspersky-kata \
  --live-mode true

Event Types

Event ID	Description	Frequency	Category
file_web	File detected in web traffic (HTTP/HTTPS)	15%	malware
file_mail	File detected in mail traffic (SMTP)	12%	malware
ids	IDS signature match on network traffic	14%	intrusion_detection
url_web	URL reputation verdict from web traffic	12%	web
url_mail	URL reputation verdict from email links	8%	web
dns	Suspicious DNS query detection	10%	network
file_endpoint	File submitted from endpoint agent	10%	malware
iocScanning	IOC scanning match against threat intelligence feeds	7%	threat_intel
taaScanning	Targeted Attack Analyzer heuristic detection	7%	intrusion_detection
heartbeat	Sensor health and connectivity status	5%	host

Realism Features

Sandbox verdicts with static and dynamic analysis scores for file detections
IDS alerts with Suricata-compatible signature IDs and CVE references
IOC scanning results with hash, IP, and domain indicator types from threat feeds
TAA detections with MITRE ATT&CK technique IDs and kill chain phases
DNS query inspection with resolved IP addresses and domain reputation categories
Sensor heartbeat with component health, throughput metrics, and version info
CSV-sampled internal host pool with correlated hostname, IP, and OS fields

Sample Output

{
    "@timestamp": "2026-03-07T10:22:15.000Z",
    "event": {
        "category": ["malware"],
        "type": ["info"],
        "severity": 4,
        "outcome": "success",
        "module": "kaspersky",
        "dataset": "kaspersky.kata"
    },
    "observer": {
        "vendor": "Kaspersky",
        "product": "Anti Targeted Attack Platform",
        "version": "6.1.0.438",
        "name": "KATA-CN01",
        "ip": "10.1.0.20"
    },
    "kaspersky": {
        "kata": {
            "detection_type": "file_web",
            "verdict": "malware",
            "confidence": 95,
            "sandbox_score": 87,
            "static_score": 72,
            "technologies": ["sandbox", "static_analysis", "anti_malware"],
            "threat": {
                "name": "HEUR:Trojan.Script.Miner.gen",
                "level": "High"
            },
            "file": {
                "source": "web",
                "url": "http://cdn.example.com/scripts/update.js",
                "content_type": "application/javascript"
            }
        }
    },
    "source": {
        "ip": "10.1.30.55",
        "port": 52341
    },
    "destination": {
        "ip": "203.0.113.42",
        "port": 80,
        "domain": "cdn.example.com"
    },
    "file": {
        "name": "update.js",
        "size": 34521,
        "hash": {
            "sha256": "e3b0c44298fc1c14...",
            "md5": "d41d8cd98f00b204..."
        }
    },
    "host": {
        "hostname": "WS-MKT-PC12",
        "ip": "10.1.30.55"
    },
    "related": {
        "hosts": ["WS-MKT-PC12", "KATA-CN01"],
        "ip": ["10.1.30.55", "203.0.113.42", "10.1.0.20"]
    }
}

Parameters

Parameter	Default	Description
kata_version	6.1.0.438	KATA Central Node version
kata_server	KATA-CN01	KATA Central Node hostname
kata_server_ip	10.1.0.20	KATA Central Node IP address
sensor_count	3	Number of network sensors reporting to KATA
sandbox_enabled	true	Whether sandbox analysis is enabled for file verdicts

Related Generators

Security

Suricata IDS/IPS

Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.

Security

Palo Alto Threat

Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.

Security

Palo Alto URL Filtering

Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.