You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>UserGuide>AlarmManagement>ReviewingAlarmsAsAList>AlarmsListFields (21 Sep 2021, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSM™

Alarms List — Fields

Alarms list fields
Column/Field Name Description
Date Date and time Sheriff CSM completed alarm correlation.
Status Whether or not the alarm is open and still correlating, or closed.
Intent & Strategy Describes the attack pattern of indicators intruding on your system.

Intent and strategy are based on the taxonomy, or classification, of adirective. For example, a directive of AV Malware might have an “intent” of system compromise, with a "strategy" of suspicious behavior. When alarms come from OTX pulses, the Intent is always Environmental Awareness and the Strategy is OTX Indicators of Compromise.

Note: Due to the size of the field label, only the strategy is visible from the Alarms list. However, when you click the row, thereby expanding the Alarms tray, the strategy becomes visible. The taxonomy for alarms with IP reputation data is based on the directive that generated the alarm.
Method If known, the method of attack or infiltration associated with the indicator that generated the alarm. For OTX pulses, the method is the pulse name.
Risk Risk level of an alarm, which can be Low (1), Medium (2), or High (>=3).

Risk calculation is based on the formula: Asset Value * Event Reliability * Event Priority / 25 = Risk

So if Asset Value = 3, Reliability = 4 and Priority = 5, the risk would be 3 * 4 * 5 / 25 = 2.4 (rounded down to 2), therefore the Risk value is Medium.
OTX OTX icon present when events causing the alarm contained IP Reputation-related data or were from IoCs related to an OTX pulse.

  • Orange — Alarm was generated by one of the following:

    • A pulse

    • Both IP Reputation and OTX pulse indicators. In this case, the pulse name displays.

  • Blue — Alarm contains IP Reputation data about one more of the IP address involved.

  • N/A — If no OTX data available.
Source Hostname or IP address of the source, with national flag if country is known, for an event creating the alarm.
Destination Hostname or IP address of the destination, with national flag if country is known, that received the events generating the alarm.
Edit  | Attach | Print version | History: r6 < r5 < r4 < r3 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r6 - 21 Sep 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.