Kaspersky Security Center
Kaspersky Security Center (KSC) events — centralized endpoint security management console logs covering threat detections, network attacks, task completion, database updates, device health status, policy enforcement, license management, protection component status, and administration audit trails in JSON format.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/security-kaspersky-ksc/generator.yml \
--id security-kaspersky-ksc \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| task-completed | Task Completed (GNRL_EV_TASK_STATE_CHANGED) | 20% | package |
| device-status | Device Status (KLSRV_HOST_STATUS_*) | 15% | host |
| update-status | Update Status (GNRL_EV_BASES_UPDATED/OUTDATED) | 15% | package |
| threat-detected | Threat Detected (GNRL_EV_VIRUS_FOUND) | 12% | malware |
| policy-event | Policy Events | 10% | configuration |
| network-attack | Network Attack (GNRL_EV_ATTACK_DETECTED) | 8% | intrusion_detection |
| protection-status | Protection Status | 8% | host |
| audit-event | Audit Events (KLAUD_EV_SERVERACTION) | 7% | authentication |
| license-event | License Events | 5% | configuration |
Realism Features
- Shared monotonic event ID counter across all event types for consistent ordering
- CSV-sampled host pool with hostname, IP, OS, group, and domain fields for correlated device identity
- CSV-sampled user pool with username, domain, department, and role for realistic user attribution
- Threat scenario library with KSC event class IDs, threat names, severity levels, and detection components
- Network attack scenarios with attacker IPs, protocols, CVE references, and IDS rule IDs
- Task metadata covering scan, update, patch, and inventory task types with duration and object counts
- Malware path templates with per-user directory substitution for realistic file system paths
Sample Output
{
"@timestamp": "2026-03-07T10:15:32.000Z",
"event": {
"category": ["malware"],
"type": ["info"],
"severity": 4,
"outcome": "success",
"module": "kaspersky",
"dataset": "kaspersky.ksc"
},
"observer": {
"vendor": "Kaspersky",
"product": "Security Center",
"version": "14.2.0.26967",
"name": "KSC-SRV01",
"ip": "10.1.0.10"
},
"host": {
"hostname": "WS-FIN-PC03",
"ip": "10.1.20.33",
"os": { "name": "Windows 11", "version": "23H2" }
},
"kaspersky": {
"ksc": {
"event_id": 1042,
"event_class_id": "GNRL_EV_VIRUS_FOUND",
"event_type": "Virus found",
"component": "File Threat Protection",
"result": "Disinfected",
"threat": {
"name": "HEUR:Trojan.Win32.Generic",
"level": "High"
},
"object": {
"type": "file",
"name": "C:\\Users\\jdoe\\Downloads\\invoice.exe",
"path": "C:\\Users\\jdoe\\Downloads\\invoice.exe"
},
"task": "Real-time protection",
"group": "Managed devices/Workstations/Finance"
}
},
"file": {
"name": "invoice.exe",
"path": "C:\\Users\\jdoe\\Downloads\\invoice.exe",
"size": 245760,
"hash": {
"sha256": "a1b2c3d4e5f6...",
"md5": "d4e5f6a1b2c3..."
}
},
"user": {
"name": "jdoe",
"domain": "CORP"
},
"related": {
"hosts": ["WS-FIN-PC03"],
"ip": ["10.1.20.33"],
"user": ["jdoe"]
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| ksc_version | 14.2.0.26967 | KSC Administration Server version |
| ksc_server | KSC-SRV01 | KSC server hostname |
| ksc_server_ip | 10.1.0.10 | KSC server IP address |
| kes_version | 12.0.0.1131 | Kaspersky Endpoint Security agent version |
| update_source | https://dnl-01.geo.kaspersky.com/ | Signature database update source URL |
| license_type | KES for Business Advanced | Kaspersky license edition |
| license_count | 500 | Total licensed seat count |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.