Event Actions List

Common Event Grammar › Normalizing and Categorizing Events › Event Actions › Event Actions List

Event Actions List

The CEG is divided into six sections and each of these six sections is further split in the following manner. For a successful mapping exercise some of the information from each of the specified sub-sections needs to be provided according the designation above. Fields designated in bold are required for each section to receive a PASS score if designated as Primary. Fields designated in bold-italic are alternative fields. Only one of the alternative fields is required for the section to receive a PASS score if designated as Primary.

Information	Field Information
Source - User Information	source_domainname, source_username, source_uid
Source - Host Information	source_hostname, source_address, source_mac_address, source_hostdomainname, source_port
Source - Object Information	source_objectname, source_objectid, source_objectattr, source_objectclass, source_objectvalue
Source - Process Information	source_processname
Source - Group Information	source_groupname, source_gid
Dest - User Information	dest_domainname, dest_username, dest_uid
Dest - Host Information	dest_hostname, dest_address, dest_mac_address, dest_hostdomainname, dest_port
Dest - Object Information	dest_objectname, dest_objectid, dest_objectattr, dest_objectclass, dest_objectvalue
Dest - Process Information	dest_processname
Dest - Group Information	dest_groupname, dest_gid
Agent - Information	agent_name, agent_version, agent_id, agent_group, agent_connector_name
Agent - Host Information	agent_hostname, agent_address, agent_hostdomainname
Event Source - Host Information	event_source_hostname, event_source_address, event_source_hostdomainname
Event Source - Information	event_source_processname
Event - Information	event_protocol, event_logname, event_euuid, event_count, event_summarized, event_duration, event_time_gmt, event_timezone, event_sequence, event_action, event_id, event_category, event_class, ideal_model, event_severity
Result - Information	event_result, result_string, result_signature, result_code, result_version, result_priority, result_scope, result_severity

The last two sections of the CEG are required sections for all actions.

For each action the CEG information is described as Primary, Secondary or Tertiary. The primary information is available from most of the event sources and is required for this event to be considered mapped. The secondary information is available from some of the event sources and is desired for this event to be considered mapped. Finally the tertiary information might be available from some event sources and, if available it should be mapped.

For example, The Account Creation action is looking for the answer to the following question: Who created which account on which host and on which host was this event information expressed? An answer might come in the form of: Administrator created UserA on HostA and the event was expressed by HostA. This information contains values for Source - User Information, Destination - Host Information, Destination User Information. In addition, each CEG event information should contain information on which Agent recorded the event and from which host the event was expressed. Putting this information into a table looks like this:

Information	Level
Source - User Information	Primary
Source - Host Information	Secondary
Source - Object Information	Tertiary
Source - Process Information	Tertiary
Source - Group Information	Tertiary
Dest - User Information	Primary
Dest - Host Information	Primary
Dest - Object Information	Secondary
Dest - Process Information	Tertiary
Dest - Group Information	Tertiary
Agent - Information	Primary
Agent - Host Information	Primary
Event Source - Host Information	Primary
Event Source - Information	Tertiary
Event - Information	Primary
Result - Information	Primary

For each action this table is provided with the information described accordingly. The following guidelines should be followed when observing the information in events.

For Type 1 events:

The host that expressed the information is the same as the host that the account was created on.
There may be information pertaining to the Source - Host Information and if so this information is identical to the host where the action occurred.
There should only be one set of host information in these events.

For Type 2 events:

There should be two sets of host information in these events.
The first set of host information refers to the Source - Host Information section and this host information should be different from the host where the action occurred.
There may be information pertaining to the host where the SIM Agent is installed but this information should be the same as the host where the action occurred and the host that expressed the event information.

For Type 3 events:

There are three sets of host information in these events.
The first set of information describes the Source - Host Information.
The second set of information describes the Dest - Host Information where the action occurred.
The third set of information describes the Event Source - Host Information where the event was expressed and the SIM agent is installed.

For Type 4 events:

There are four sets of host information in these events.
The first set of information describes the Source - Host Information.
The second set of information describes the Dest - Host Information where the action occurred.
The third set of information describes the Event Source - Host Information where the event was expressed.
The fourth set of information describes the Agent - Host Information where the SIM agent is installed.

Email CA Technologies about this topic