Risk = (asset value ∗ event priority ∗ event reliability) / 25
Where:
Therefore, the risk value is from 0 to 10. Decimals are always rounded down. For example, if the asset value is 3, event priority is 3, and event reliability is 5, you will get 3 * 3 * 5 / 25 = 1.8. In this case, the risk for the event is 1.
In Sheriff CSM, any event with a risk value greater than or equal to 1 generates an alarm. Sheriff recommends that you do not change the asset value of the Sheriff CSM instance, because Sheriff CSM generates its own events, most of which are informational. Therefore, raising the value of this asset (which increases the risk of those events) will generate a larger number of false positive alarms.Service Name | Priority |
---|---|
Manual — Locked | 10 |
Availability Monitoring | 8 |
LDAP | 8 |
Active Asset Scan | 7 |
WMI | 7 |
Vulnerability Scan | 5 |
HIDS | 5 |
Passive Asset Scan | 4 |
Manual | 3 |
You can group assets based on a number of attributes, including the following:
By default, Sheriff CSM comes with three networks already specified: