Skip to content

Event Classification

Abstract

The event taxonomies presented in this chapter are enforced by punch cybersecurity parser.

Event classification groups similar events together by setting taxonomy fields on every events collected. Instead of using vendor specific event names, all the events of the same type map to the same taxonomy classification.

In turn it is then easier to search events and create dashboards and reports from multiple vendor devices.

Example

if BlackStratus events classification is used to group similar events. Extra field will be set like [taxo][nf][alarm] for severity Warning

BlackStratus Taxonomy

Severity

Severity Description
0 Not Set
1 Informational
2 Warning
3 Minor
4 Major
5 Critical

Alarm Category : Virus / Trojan

Alarm Name Alarm ID Severity
Backdoor Activity 100001 5
Malicious Bot 100007 4
Malicious Mail Attachment 100002 5
Malicious Software 100003 5
Malicious Worm 100006 4
Questionable Software Transmission 100005 5
Unspecified Virus / Trojan Event 100000 5

Alarm Category : Unknown / Suspicious

Alarm Name Alarm ID Severity
Content Modified By Firewall 110001 4
Invalid Command or Data 110002 4
Potential Web Vulnerability 110009 4
Suspicious Activity 110004 4
Suspicious File Extension 110005 4
Suspicious Packet 110003 4
Suspicious Pattern Detected 110000 4
Suspicious Port Activity 110006 4
Suspicious Routing 110007 4
Unknown Alarm 110008 5
Unparsed Device Message 110010 5

Alarm Category : System Status / Configuration

Alarm Name Alarm ID Severity
Address Translation 120001 3
Application Configuration 120002 3
Application Error 120018 3
Database Configuration 120003 3
Duplicate IP 120004 3
Exceed Threshold or Limit 120005 3
Hardware Error 120006 3
Mail Configuration 120007 3
Service/Process Status Change 120012 3
Software Installed 120013 3
System Boot 120008 3
System Configuration 120009 3
System Failure 120014 3
System Halt 120010 4
System Heartbeat 120011 3
System Status 120016 3
Unspecified Configuration/Status Event 120000 3
User Configuration 120017 3

Alarm Category : Reconnaissance Attempts

Alarm Name Alarm ID Severity
Application Query 130001 4
DNS Reconnaissance 130012 4
Host Query 130005 4
Intruder Detected 130013 4
Mail Reconnaissance 130007 4
Network Sweep 130006 4
Port Scan 130010 4
Portmap / RPC Request 130009 4
RPC Dump 130011 4
Unspecified Reconnaissance Event 130000 4
Windows Reconnaissance 130008 4

Alarm Category : Denial of Service

Alarm Name Alarm ID Severity
Denial of Service Exploit 140007 5
Flood Attack 140002 5
Mail Server Attack 140004 5
Malformed DoS Packet 140001 5
Unspecified Denial of Service Event 140000 5

Alarm Category : Evasion

Alarm Name Alarm ID Severity
IDS Evasion 150004 5
IP Fragmentation 150002 5
IP Spoof 150001 5
Overlapping IP Fragments 150003 5
Unspecified Evasion Event 150000 5

Alarm Category : Authentication / Access / Authorization

Alarm Name Alarm ID Severity
Administrator Session Start 160025 3
Administrator Session Stop 160026 3
Audited / Sensitive Data Access 160028 4
Audited Application Access 160021 3
Audited User Access 160022 3
Authentication Succeeded 160001 3
Authentication/Authorization Failed 160002 3
Data Access 160027 3
Database Access 160004 3
Encrypted Access / Authentication / Authorization 160003 3
File Access 160006 3
FTP Access 160005 3
Mail Access 160007 3
Network Access Started 160008 3
Network Access Stopped 160009 3
Privilege Escalation 160011 4
Security Negotiation 160013 4
Security Policy Change 160014 4
SNMP Access 160020 3
Telnet Access 160015 3
Unix / Linux Access 160016 3
Unspecified Access / Authentication / Authorization 160000 3
User / Application Session Start 160023 3
User / Application Session Stop 160024 3
Web Access 160018 3
Windows Access 160019 3

Alarm |Category : Application Exploits

Alarm Name Alarm ID Severity
Buffer Overflow Exploit 170001 5
Bulk Data Transfer 170013 4
Code Injection 170015 4
Cross-Site Scripting 170016 4
DNS Exploit 170002 4
Format String Vulnerability 170021 4
FTP Exploit 170004 4
LDAP Injection 170019 4
Linux / Unix Exploit 170005 4
Mail Exploit 170006 4
Netbios Exploit 170018 4
Network Device Exploit 170007 4
OS Command Injection 170020 4
Other Host Exploits 170008 4
Path Traversal 170017 4
SQL Injection 170014 4
TCP Hijacking 170010 5
Telnet Exploit 170009 4
Unspecified Application Exploit Event 170000 4
Web Exploit 170011 4
Windows Exploit 170012 4
XML Injection 170022 4

Alarm Category : Policy Violations

Alarm Name Alarm ID Severity
Chat and Instant Messaging 180003 3
Data Access Denied 180013 4
Excessive Internet Access 180008 3
Forbidden Application Access 180006 3
Forbidden Data Access 180015 4
Forbidden Database Access 180007 3
Forbidden FTP Access 180012 3
Forbidden HTTP Access 180001 3
Forbidden Software Installation 180011 3
Forbidden Streaming Content 180004 3
Forbidden Telnet / SSH Access 180002 3
Inappropriate Internal Networking 180010 3
Inappropriate Mail Content or Attachments 180009 3
Other External IP Access 180005 3
Service Level Violation 180014 4
Unspecified Policy Violation Event 180000 3

Alarm Category : Correlated Category

Alarm Name Alarm ID Severity
Administrative Abuse / Insider Threat 190013 5
Automated Attack 190002 5
Brute Force 190003 5
Confirmed Compromise 190004 5
Correlated state timed out 190010 5
Countermeasures Deployed 190005 5
Custom 190000 5
Decay Score 190001 5
Exploitation Attempt 190011 5
Failed Exploit 190006 5
Malicious Scan 190009 5
Planned Attack 190007 5
Successful DOS 190008 5
Suspicious DB Commands->Large Data Transfer 190012 5