Event Types allows you to have granular control on which specific kinds of events the policy will look for. Event types are categorized by two groups:
- DS (Data Source) Groups — Define the data sources for events.
- Taxonomy — Defines the types of events.
Event Types — DS Groups
A data source refers to any application or device that generates information which Sheriff CSM can collect and analyze. Sheriff CSM organizes data sources for policies affecting events into Data Source Groups. When assembled into a DS group, it makes it easier to incorporate multiple data sources into one policy.
For information about the use of data source plugins in Sheriff CSM, see
Log Collection and Normalization in Sheriff CSM.
When you create policies with a data source in mind, you can limit the event types to best suit the policy. If you are creating a policy for a certain plugin, and are only interested in certain events (such as logins, configuration changes, VPN connections, dropped connections), you can select the event types that are most relevant to associate with the plugin. For more detailed instructions, see
Insert a New DS Group Based on Data Sources.
Note: Policies belonging to the Policies for events generated in server policy group can only include DS Groups comprised of system events.
Event Types — Taxonomy
Taxonomy refers to the classification for security events, using a system based on main categories and subcategories. See
Sheriff CSM Event Taxonomy for more information.
You can either select general categories, or more specific classifications by relying on the assigned event taxonomies in the database. You can use the
Product Type,
Category, and
Subcategory taxonomy parameters to create a taxonomy condition. Category options change based on which product type is selected. Similarly, the subcategory options change based on which category is selected.
In the example below, only events matching all of the taxonomy parameters would meet the policy condition:
For more detailed instructions, see
Configure Taxonomy as a Condition.