Documentation Center
AlienVault® USM Appliance™

Event Taxonomy — Product Types and Categories

Applies to Product: USM Appliance™ AlienVault OSSIM®

AlienVault event taxonomy consists of product types, categories, and subcategories.

USM Appliance Event Taxonomy — Product Types

Product Types

  • Alarm
  • Honeypot
  • Other Devices
  • AlienVault Devices
  • Infrastructure Monitoring
  • Proxy
  • Anomaly Detection
  • Intrusion Detection
  • Remote Application Access
  • Antivirus
  • Intrusion Prevention
  • Router/Switch
  • Application
  • Load Balancer
  • Server
  • Application Firewall
  • Mail Security
  • Unified threat management
  • Authentication and DHCP
  • Mail Server
  • VPN
  • Data Protection
  • Management Platform
  • Vulnerability Scanner
  • Database
  • Network Access Control
  • Web Server
  • Endpoint Security
  • Network Discovery
  • Wireless Security/Managemet
  • Firewall
  • Operating System
 

Available options for categories will differ depending on which product type you select, and available options for subcategories will differ depending on which category you select.

USM Appliance Event Taxonomy — Categories

Category

Category Description
Access

An event that indicates a particular system, service, or resource is being used.

Alarm  
Alert An alarm triggered from a security detection system.
Analysis  
Anomalies  
Antivirus An event from an antivirus (or other endpoint security control) system.
Application A log entry from an application or service that cannot be matched to one of the other categories in the USM Appliance taxonomy.
Authentication An event from an authentication system, or the authentication sub-component of an application or operating system.
Availability An event from a resource-availability monitoring system.
Correlation  
Correlation_Directives  
Cross_Correlation_Rules  
Database  
Hashboards  
Denial_Of_Service A possible denial-of-service attack has been detected via correlating events seen on the network.
Exploit Indicates the possible exploitation of a known vulnerability in a particular application or operating system.
Honeypot This is an event from a honeypot system. Any connection to them is assumed to be either from a mis-configured system or a malicious source.
Incidents  
Info An informational event, usually without direct significance to security. General system logs often fall into this category.
Inventory An event from an inventory management system, probably the systems built into USM Appliance.
Knowledge_DB  
Malware Malware has been detected, either running on a system, being transferred over the network, or communicating with a command-and-control system.
Monitor  
Network  
Policy A violation of your company's usage policy has been detected.. This may be in the form of unapproved software installations, Internet services, or security configurations.
Policy_and_Actions  
Recon A system has been detected scanning other systems on the network.
Reports  
SEIM_Components  
SEIM_Components_Databases  
SEIM_Components_Servers  
Suspicious This event represents a log entry that is unusual within the context of the system it originates from.
System  
Tools  
Voip This is an event from a Voice-Over-IP communication system.
Vulnerabilities  
Wireless This is an event from a wireless Ethernet (802.11) device.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.