| Applies to Product: |
Sheriff CSM™ |
Sheriff Vigilante® |
Sheriff event taxonomy consists of product types, categories, and subcategories.
Sheriff CSM Event Taxonomy — Product Types |
Product Types
|
|---|
|
|
|
|
|
|
- Infrastructure Monitoring
|
|
|
|
|
- Remote Application Access
|
|
|
|
|
|
|
|
|
|
|
|
- Unified threat management
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Wireless Security/Management
|
|
|
| |
Available options for categories will differ depending on which product type you select, and available options for subcategories will differ depending on which category you select.
Sheriff CSM Event Taxonomy — Categories | Category | Category Description |
| Access | An event that indicates a particular system, service, or resource is being used. |
| Alarm |
| Alert | An alarm triggered from a security detection system. |
| Analysis |
| Anomalies |
| Antivirus | An event from an antivirus (or other endpoint security control) system. |
| Application | A log entry from an application or service that cannot be matched to one of the other categories in the Sheriff CSM taxonomy. |
| Authentication | An event from an authentication system, or the authentication sub-component of an application or operating system. |
| Availability | An event from a resource-availability monitoring system. |
| Correlation |
| Correlation_Directives |
| Cross_Correlation_Rules |
| Database |
| Hashboards |
| Denial_Of_Service | A possible denial-of-service attack has been detected via correlating events seen on the network. |
| Exploit | Indicates the possible exploitation of a known vulnerability in a particular application or operating system. |
| Honeypot | This is an event from a honeypot system. Any connection to them is assumed to be either from a mis-configured system or a malicious source. |
| Incidents |
| Info | An informational event, usually without direct significance to security. General system logs often fall into this category. |
| Inventory | An event from an inventory management system, probably the systems built into Sheriff CSM. |
| Knowledge_DB |
| Malware | Malware has been detected, either running on a system, being transferred over the network, or communicating with a command-and-control system. |
| Monitor |
| Network |
| Policy | A violation of your company's usage policy has been detected. This may be in the form of unapproved software installations, Internet services, or security configurations. |
| Policy_and_Actions |
| Recon | A system has been detected scanning other systems on the network. |
| Reports |
| SEIM_Components |
| SEIM_Components_Databases |
| SEIM_Components_Servers |
| Suspicious | This event represents a log entry that is unusual within the context of the system it originates from. |
| System |
| Tools |
| Voip | This is an event from a Voice-Over-IP communication system. |
| Vulnerabilities |
| Wireless | This is an event from a wireless Ethernet (802.11) device. |
Sheriff Vigilante Limitations: The Sheriff CSM SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.
