Previous Topic: Event CategoriesNext Topic: Event Classes


Event Categories List

The following is the current list event categories:

Name

Description

Identity Management

Identity Management (IM) consists of account management, group management, identity management and user rights management. This includes events such as account created, account modified, group membership additions, group creations or deletions and others.

Configuration Management

Configuration and Policy Management consists of information collected from policy changes or configuration changes. This is across all devices such as Firewalls, Hosts, Servers or Audit/SCC policies. This includes events such as policy change, policy creation or configuration change events.

Content Security

Content Security consists of information provided by Content inspection tools that monitor content in Internet communication channels including email, WebMail, IM, FTP and online collaboration tools (such as Blogs and Wikis).

Data Access

Data Access consists of information provided by a DBMS or database monitoring tools. This includes events such as query executed, table created, index modified, etc.

Host Security

Host Security and Integrity consists of information about the security of a single host (usually desktop systems). This includes events such as “Virus Detected”, “Virus Cleaned”, etc.

Network Security

Network Security consists of information pertaining to the protection of network entities from access by other network entities. This includes events such as firewall drop logs or IDS/IPS violation alerts.

Operational Security

Operational Security consists of information pertaining to the capability of maintaining normal operations. This includes events such as service stop, service start, system shutdown or system startup. This also includes events such as “security log cleared”.

Physical Access

Physical Access consists of information collected about attempts to enter through physical security devices. This includes events such as “badge scanned” or “camera disabled”.

Resource Access

Resource Access consists of information collected about attempts to access resources. This includes access to file resources, registry resources or URI resources. For resources the host is the host that recorded the event and the user is the user or identity trying to access the resource.

System Access

System Access consists of information collected from access attempts to various systems. This includes events such as logins or set user attempts as well as network authentication attempts (VPNs, NAP, 802.11x). For system access, a resource is an application which is facilitating the login process. For example, ftpd or sshd would be considered resources for the system access area.

Unknown Category

Events that are not mapped to a specific category are mapped to “Unknown Category”. In the Data Mapping files, if all the mapping conditions fail to match a specific event, the event is tagged with this category. Data Mapping files should be updated to reduce the events with “Unknown” category.

Vulnerability Management

Vulnerability Management consists of information collected from security assessment and management tools. This includes events such as “vulnerability found” or “patch needed”.

SIM Operations

SIM Operations contains operational reports about the health of operations for the SIM. This information is independent from the information collected and processed by the SIM.