The following tables provide Security classification information. This table lists descriptions and examples.
|Compromise||Logs reporting on a successful system or network compromise. |
** Seen more on Host Intrusion Detection Systems (HIDS) than network based detection mechanisms. **
|Attack||Logs reporting on activity indicative of a system or network attack where it is either assumed to have been successful or cannot be assumed to have failed. Attack is known to have originated from a “Bad Guy” source.|
|Denial of Service||Logs reporting on activity indicative a denial of service where it is assumed to have succeeded or cannot be assumed to have failed.|
|Malware||Logs reporting on activity indicative of malware installation, propagation, or use.|
This classification is set to RR=9 because malware is indicative of complex control of systems within the environment possibly leading to data loss with malicious intent, theft, tampering, etc.
|Suspicious||Logs reporting on activity that is suspicious but not known to be an attack or unauthorized.|
|Reconnaissance||Logs reporting on activity indicative of or directly indicating system or network reconnaissance.|
|Misuse||Logs reporting on activity indicative of system or network misuse.|
|Activity||Logs reporting on general system or network activity.|
|Failed Attack||Logs reporting on attack activity that was not successful, possibly due to preventative measures.|
|Failed Denial of Service||Logs reporting on denial of service activity that was not successful, possibly due to preventative measures.|
|Failed Malware||Logs reporting on malware activity that was not successful, possibly due to preventative measures.|
|Failed Suspicious||Logs reporting on suspicious activity that was not successful, possibly due to preventative measures.|
|Failed Activity||Logs reporting on general system or network activity that was not successful, possibly due to preventative measures|
|Other Security||Logs reporting on security activity not otherwise classifiable|
Security Classification Defaults
This table gives defaults for Risk Rating (RR), Event Forwarding, and LogMart Forwarding.
|Classification||Default Risk Rating (RR)*||Default Event |
|Default LogMart |
|Compromise||9||Forward All||Forward All|
|Attack||8||Forward All||Forward All|
|Denial of Service||8||Forward All||Forward All|
|Malware||9||Forward All||Forward All|
|Suspicious||6||Forward All||Forward All|
|Reconnaissance||4||Forward All||Forward All|
|Misuse||5||Forward All||Forward All|
|Activity||0||Forward If||Forward Events|
|Failed Attack||0||Forward None||Forward All|
|Failed Denial of Service||0||Forward None||Forward All|
|Failed Malware||0||Forward None||Forward All|
|Failed Suspicious||0||Forward None||Forward All|
|Failed Activity||0||Forward None||Forward None|
|Other Security||0||Case by Case||Forward Events|
*This is the usual Risk Rating assigned to a Common Event associated with this classification. However, Risk Ratings will vary by Common Event within the same classification. This value is a general default, not strictly enforced.
**This is the default setting for forwarding the log to the Platform Manager assigned to a Common Event associated with this classification.