Applies to Product: |
Sheriff CSM™ |
Sheriff Vigilante® |
Sheriff event taxonomy consists of product types, categories, and subcategories.
Sheriff CSM Event Taxonomy — Product Types
Product Types
|
|
|
|
|
- Infrastructure Monitoring
|
|
|
|
- Remote Application Access
|
|
|
|
|
|
|
|
|
- Unified threat management
|
|
|
|
|
|
|
|
|
|
|
|
- Wireless Security/Management
|
|
| |
Available options for categories will differ depending on which product type you select, and available options for subcategories will differ depending on which category you select.
Sheriff CSM Event Taxonomy — Categories Category | Category Description |
Access | An event that indicates a particular system, service, or resource is being used. |
Alarm |
Alert | An alarm triggered from a security detection system. |
Analysis |
Anomalies |
Antivirus | An event from an antivirus (or other endpoint security control) system. |
Application | A log entry from an application or service that cannot be matched to one of the other categories in the Sheriff CSM taxonomy. |
Authentication | An event from an authentication system, or the authentication sub-component of an application or operating system. |
Availability | An event from a resource-availability monitoring system. |
Correlation |
Correlation_Directives |
Cross_Correlation_Rules |
Database |
Hashboards |
Denial_Of_Service | A possible denial-of-service attack has been detected via correlating events seen on the network. |
Exploit | Indicates the possible exploitation of a known vulnerability in a particular application or operating system. |
Honeypot | This is an event from a honeypot system. Any connection to them is assumed to be either from a mis-configured system or a malicious source. |
Incidents |
Info | An informational event, usually without direct significance to security. General system logs often fall into this category. |
Inventory | An event from an inventory management system, probably the systems built into Sheriff CSM. |
Knowledge_DB |
Malware | Malware has been detected, either running on a system, being transferred over the network, or communicating with a command-and-control system. |
Monitor |
Network |
Policy | A violation of your company's usage policy has been detected. This may be in the form of unapproved software installations, Internet services, or security configurations. |
Policy_and_Actions |
Recon | A system has been detected scanning other systems on the network. |
Reports |
SEIM_Components |
SEIM_Components_Databases |
SEIM_Components_Servers |
Suspicious | This event represents a log entry that is unusual within the context of the system it originates from. |
System |
Tools |
Voip | This is an event from a Voice-Over-IP communication system. |
Vulnerabilities |
Wireless | This is an event from a wireless Ethernet (802.11) device. |
Sheriff Vigilante Limitations: The Sheriff CSM SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.