Previous Topic: Customizing Queries for Action AlertsNext Topic: Create a Query to Retrieve Only Severe Events

Administration GuideAction AlertsCustomizing Queries for Action AlertsIdentify the Simple Filter for Severe Events

Identify the Simple Filter for Severe Events

Events vary in severity from informational to fatal. CA assigns a value between 2 and 7 to indicate the severity of events based on the CEG model of Category, Class, Action and Result. Severity 7 is assigned to system shutdown events. Severity 6 is assigned to events with high security implications or that need immediate attention.

If you plan to create custom queries or to customize predefined queries for use in alerts, it is a good idea to examine the CEG model definitions of severe event types. The model definition is the basis for simple filters. That is, you can create queries that retrieve events based on your specification of their event category, event class, event action, and event result.

Simple filters include the values for event category, event class, event action, and event result.

To identify the simple filter for severe events

  1. Click the Help link.
  2. Expand Common Event Grammar, and select Security Level Assignment.
  3. Copy the table to a spreadsheet and sort by Security Level from highest to lowest.

    The resulting table lists event types beginning with the most severe based on CA Security Level assignment.

    An example follows. Your results will reflect the current CEG definitions.

Category

Class

Action

Result

Security Level

Operational Security

System Activity

System Shutdown

Success

7

Operational Security

System Activity

System Shutdown

Failure

7

Configuration Management

Configuration Management

Configuration Error

Success

6

Data Access

Object Management

Control File Creation

Success

6

Host Security

Antivirus Activity

Scan Error

Success

6

Host Security

Antivirus Activity

Virus Clean

Failure

6

Host Security

Antivirus Activity

Virus Detected

Success

6

Host Security

Antivirus Activity

Virus Quarantine

Failure

6

Host Security

IDS/IPS Activity

Signature Violation

Success

6

Network Security

Signature Violation Activity

Signature Violation

Success

6

Operational Security

System Activity

System Startup

Failure

6

Operational Security

Security Log Activity

Security Log Clear

Success

6

Operational Security

Security Log Activity

Security Log Clear

Failure

6

System Access

Authentication Activity

Authentication Fallback

Failure

6

System Access

Authentication Activity

Authentication Start

Failure

6