How-To Guides
...
SIEM and Syslog Integration
Log Formats

Threat Analytics Log

1 min

This section contains the Kron PAM threat analytics logs. The packets are sent to the server in the following format:

dbId

Database identifier for the threat log entry.

accessProtocol

The protocol is used to access the system (e.g., SSHv2).

accessProtocolScore

Anomaly score is associated with the access protocol.

commandLogId

Unique identifier of the associated command log.

logTime

Timestamp when the log was recorded (ISO 8601 format).

clientIp

IP address of the client initiating the session.

clientIpScore

Anomaly score related to the client IP address.

host

IP address of the host being accessed.

hostScore

Anomaly score related to the host IP.

threatType

Type of detected threat (e.g., HOST_ANOMALY).

sessionId

Unique session identifier for the user session.

severity

Severity level of the detected threat (e.g., LOW).

ruleName

Name of the rule triggered during the threat analysis.

userName

The username of the person executing the session.

userScore

An anomaly score associated with the user.

actionDetail

Description of the action taken as a result of the analysis (e.g., logged only).

commandScore

Anomaly score related to the executed command(s).

firstResult

Score from the first anomaly detection result.

maxResult

Maximum score among all results.

totalScore

Combined anomaly score calculated for the session.

timeScore

Anomaly score based on access time behavior.

Example:

CEF:0|KRONTECH|Kron PAM|3.8.0|100|ThreatAnalyticsLog|10|dbId=2108456 accessProtocol=SSHv2 accessProtocolScore=0.0 commandLogId=2108392 logTime=2025-04-25T14:41:04.164Z clientIp=10.10.10.10 clientIpScore=0.030858738 host=10.10.20.20 hostScore=0.0 threatType=HOST_ANOMALY sessionId=4894b3738fbd0cf86958fe38 severity=LOW ruleName=Low userName=admin userScore=0.0 actionDetail=Anomaly is logged\nNO ACTION commandScore=0.025566567 firstResult=0 maxResult=0 totalScore=0.10262209 timeScore=0.45668516