Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

High-level Event Categories

Events in JSA log sources are grouped into high-level categories. Each event is assigned to a specific high-level category.

Categorizing the incoming events ensures that you can easily search the data.

The following table describes the high-level event categories.

Table 1: High-level Event Categories

Category

Category ID

Description

Recon

1000

Events that are related to scanning and other techniques that are used to identify network resources, for example, network or host port scans.

DoS

2000

Events that are related to denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against services or hosts, for example, brute force network DoS attacks.

Authentication

3000

Events that are related to authentication controls, group, or privilege change, for example, log in or log out.

Access

4000

Events resulting from an attempt to access network resources, for example, firewall accept or deny.

Exploit

5000

Events that are related to application exploits and buffer overflow attempts, for example, buffer overflow or web application exploits.

Malware

6000

Events that are related to viruses, trojans, back door attacks, or other forms of hostile software. Malware events might include a virus, trojan, malicious software, or spyware.

Suspicious Activity

7000

The nature of the threat is unknown but behavior is suspicious. The threat might include protocol anomalies that potentially indicate evasive techniques, for example, packet fragmentation or known intrusion detection system (IDS) evasion techniques.

System

8000

Events that are related to system changes, software installation, or status messages.

Policy

9000

Events regarding corporate policy violations or misuse.

Unknown

10000

Events that are related to unknown activity on your system.

CRE

12000

Events that are generated from an offense or event rule.

Potential Exploit

13000

Events relate to potential application exploits and buffer overflow attempts.

Flow

14000

Events that are related to flow actions.

User Defined

15000

Events that are related to user-defined objects.

SIM Audit

16000

Events that are related to user interaction with the Console and administrative functions.

VIS Host Discovery

17000

Events that are related to the host, ports, or vulnerabilities that the VIS component discovers.

Application

18000

Events that are related to application activity.

Audit

19000

Events that are related to audit activity.

Risk

20000

Events that are related to risk activity in JSA Risk Manager.

Risk Manager Audit

21000

Events that are related to audit activity in JSA Risk Manager.

Control

22000

Events that are related to your hardware system.

Asset Profiler

23000

Events that are related to asset profiles.

Sense

24000

Events that are related to UBA.