|
|
|
The fourth step to normalizing event information in the CEG is to determine the normalized action that is expressed by the event information. The event_action field provides a place holder where common actions that have occurred can be normalized with a common name.
It describes exactly what happened in a short phrase without details. For example, Account Creation is an action that implies someone has created an account or a number of accounts on a specific host.
The event_action field associates with an event category and an event class. For example, the Account Creation event_action is associated with the Identity Management event_category and the Account Management event_class.
Every event action can have one or more of the following result values: Success, Failure, Accept, Reject, Drop, Unknown.
For example, all failed logons are normalized with a logon attempt action value in the event_action field. If the logon attempt failed then a value of Failure appears in the event_result field and if it succeeds then a value of Success appears in the event_result field.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |