Event Classification
Abstract
The event taxonomies presented in this chapter are enforced
by punch cybersecurity parser.
Event classification groups similar events together by setting taxonomy
fields on every events collected. Instead of using vendor specific event
names, all the events of the same type map to the same taxonomy
classification.
In turn it is then easier to search events and create dashboards
and reports from multiple vendor devices.
Example
if BlackStratus events classification is used to group
similar events. Extra field will be set like [taxo][nf][alarm] for
severity Warning
BlackStratus Taxonomy
Severity
| Severity |
Description |
| 0 |
Not Set |
| 1 |
Informational |
| 2 |
Warning |
| 3 |
Minor |
| 4 |
Major |
| 5 |
Critical |
Alarm Category : Virus / Trojan
| Alarm Name |
Alarm ID |
Severity |
| Backdoor Activity |
100001 |
5 |
| Malicious Bot |
100007 |
4 |
| Malicious Mail Attachment |
100002 |
5 |
| Malicious Software |
100003 |
5 |
| Malicious Worm |
100006 |
4 |
| Questionable Software Transmission |
100005 |
5 |
| Unspecified Virus / Trojan Event |
100000 |
5 |
Alarm Category : Unknown / Suspicious
| Alarm Name |
Alarm ID |
Severity |
| Content Modified By Firewall |
110001 |
4 |
| Invalid Command or Data |
110002 |
4 |
| Potential Web Vulnerability |
110009 |
4 |
| Suspicious Activity |
110004 |
4 |
| Suspicious File Extension |
110005 |
4 |
| Suspicious Packet |
110003 |
4 |
| Suspicious Pattern Detected |
110000 |
4 |
| Suspicious Port Activity |
110006 |
4 |
| Suspicious Routing |
110007 |
4 |
| Unknown Alarm |
110008 |
5 |
| Unparsed Device Message |
110010 |
5 |
Alarm Category : System Status / Configuration
| Alarm Name |
Alarm ID |
Severity |
| Address Translation |
120001 |
3 |
| Application Configuration |
120002 |
3 |
| Application Error |
120018 |
3 |
| Database Configuration |
120003 |
3 |
| Duplicate IP |
120004 |
3 |
| Exceed Threshold or Limit |
120005 |
3 |
| Hardware Error |
120006 |
3 |
| Mail Configuration |
120007 |
3 |
| Service/Process Status Change |
120012 |
3 |
| Software Installed |
120013 |
3 |
| System Boot |
120008 |
3 |
| System Configuration |
120009 |
3 |
| System Failure |
120014 |
3 |
| System Halt |
120010 |
4 |
| System Heartbeat |
120011 |
3 |
| System Status |
120016 |
3 |
| Unspecified Configuration/Status Event |
120000 |
3 |
| User Configuration |
120017 |
3 |
Alarm Category : Reconnaissance Attempts
| Alarm Name |
Alarm ID |
Severity |
| Application Query |
130001 |
4 |
| DNS Reconnaissance |
130012 |
4 |
| Host Query |
130005 |
4 |
| Intruder Detected |
130013 |
4 |
| Mail Reconnaissance |
130007 |
4 |
| Network Sweep |
130006 |
4 |
| Port Scan |
130010 |
4 |
| Portmap / RPC Request |
130009 |
4 |
| RPC Dump |
130011 |
4 |
| Unspecified Reconnaissance Event |
130000 |
4 |
| Windows Reconnaissance |
130008 |
4 |
Alarm Category : Denial of Service
| Alarm Name |
Alarm ID |
Severity |
| Denial of Service Exploit |
140007 |
5 |
| Flood Attack |
140002 |
5 |
| Mail Server Attack |
140004 |
5 |
| Malformed DoS Packet |
140001 |
5 |
| Unspecified Denial of Service Event |
140000 |
5 |
Alarm Category : Evasion
| Alarm Name |
Alarm ID |
Severity |
| IDS Evasion |
150004 |
5 |
| IP Fragmentation |
150002 |
5 |
| IP Spoof |
150001 |
5 |
| Overlapping IP Fragments |
150003 |
5 |
| Unspecified Evasion Event |
150000 |
5 |
Alarm Category : Authentication / Access / Authorization
| Alarm Name |
Alarm ID |
Severity |
| Administrator Session Start |
160025 |
3 |
| Administrator Session Stop |
160026 |
3 |
| Audited / Sensitive Data Access |
160028 |
4 |
| Audited Application Access |
160021 |
3 |
| Audited User Access |
160022 |
3 |
| Authentication Succeeded |
160001 |
3 |
| Authentication/Authorization Failed |
160002 |
3 |
| Data Access |
160027 |
3 |
| Database Access |
160004 |
3 |
| Encrypted Access / Authentication / Authorization |
160003 |
3 |
| File Access |
160006 |
3 |
| FTP Access |
160005 |
3 |
| Mail Access |
160007 |
3 |
| Network Access Started |
160008 |
3 |
| Network Access Stopped |
160009 |
3 |
| Privilege Escalation |
160011 |
4 |
| Security Negotiation |
160013 |
4 |
| Security Policy Change |
160014 |
4 |
| SNMP Access |
160020 |
3 |
| Telnet Access |
160015 |
3 |
| Unix / Linux Access |
160016 |
3 |
| Unspecified Access / Authentication / Authorization |
160000 |
3 |
| User / Application Session Start |
160023 |
3 |
| User / Application Session Stop |
160024 |
3 |
| Web Access |
160018 |
3 |
| Windows Access |
160019 |
3 |
Alarm |Category : Application Exploits
| Alarm Name |
Alarm ID |
Severity |
| Buffer Overflow Exploit |
170001 |
5 |
| Bulk Data Transfer |
170013 |
4 |
| Code Injection |
170015 |
4 |
| Cross-Site Scripting |
170016 |
4 |
| DNS Exploit |
170002 |
4 |
| Format String Vulnerability |
170021 |
4 |
| FTP Exploit |
170004 |
4 |
| LDAP Injection |
170019 |
4 |
| Linux / Unix Exploit |
170005 |
4 |
| Mail Exploit |
170006 |
4 |
| Netbios Exploit |
170018 |
4 |
| Network Device Exploit |
170007 |
4 |
| OS Command Injection |
170020 |
4 |
| Other Host Exploits |
170008 |
4 |
| Path Traversal |
170017 |
4 |
| SQL Injection |
170014 |
4 |
| TCP Hijacking |
170010 |
5 |
| Telnet Exploit |
170009 |
4 |
| Unspecified Application Exploit Event |
170000 |
4 |
| Web Exploit |
170011 |
4 |
| Windows Exploit |
170012 |
4 |
| XML Injection |
170022 |
4 |
Alarm Category : Policy Violations
| Alarm Name |
Alarm ID |
Severity |
| Chat and Instant Messaging |
180003 |
3 |
| Data Access Denied |
180013 |
4 |
| Excessive Internet Access |
180008 |
3 |
| Forbidden Application Access |
180006 |
3 |
| Forbidden Data Access |
180015 |
4 |
| Forbidden Database Access |
180007 |
3 |
| Forbidden FTP Access |
180012 |
3 |
| Forbidden HTTP Access |
180001 |
3 |
| Forbidden Software Installation |
180011 |
3 |
| Forbidden Streaming Content |
180004 |
3 |
| Forbidden Telnet / SSH Access |
180002 |
3 |
| Inappropriate Internal Networking |
180010 |
3 |
| Inappropriate Mail Content or Attachments |
180009 |
3 |
| Other External IP Access |
180005 |
3 |
| Service Level Violation |
180014 |
4 |
| Unspecified Policy Violation Event |
180000 |
3 |
| Alarm Name |
Alarm ID |
Severity |
| Administrative Abuse / Insider Threat |
190013 |
5 |
| Automated Attack |
190002 |
5 |
| Brute Force |
190003 |
5 |
| Confirmed Compromise |
190004 |
5 |
| Correlated state timed out |
190010 |
5 |
| Countermeasures Deployed |
190005 |
5 |
| Custom |
190000 |
5 |
| Decay Score |
190001 |
5 |
| Exploitation Attempt |
190011 |
5 |
| Failed Exploit |
190006 |
5 |
| Malicious Scan |
190009 |
5 |
| Planned Attack |
190007 |
5 |
| Successful DOS |
190008 |
5 |
| Suspicious DB Commands->Large Data Transfer |
190012 |
5 |