Documentation Center
AlienVault® USM Appliance™

Event Taxonomy — Product Types and Categories

Applies to Product: USM Appliance™ AlienVault OSSIM®

AlienVault event taxonomy consists of product types, categories, and subcategories.

USM Appliance Event Taxonomy — Product Types

Product Types

  • Alarm
  • Honeypot
  • Other Devices
  • AlienVault Devices
  • Infrastructure Monitoring
  • Proxy
  • Anomaly Detection
  • Intrusion Detection
  • Remote Application Access
  • Antivirus
  • Intrusion Prevention
  • Router/Switch
  • Application
  • Load Balancer
  • Server
  • Application Firewall
  • Mail Security
  • Unified threat management
  • Authentication and DHCP
  • Mail Server
  • VPN
  • Data Protection
  • Management Platform
  • Vulnerability Scanner
  • Database
  • Network Access Control
  • Web Server
  • Endpoint Security
  • Network Discovery
  • Wireless Security/Managemet
  • Firewall
  • Operating System

Available options for categories will differ depending on which product type you select, and available options for subcategories will differ depending on which category you select.

USM Appliance Event Taxonomy — Categories


Category Description

An event that indicates a particular system, service, or resource is being used.

Alert An alarm triggered from a security detection system.
Antivirus An event from an antivirus (or other endpoint security control) system.
Application A log entry from an application or service that cannot be matched to one of the other categories in the USM Appliance taxonomy.
Authentication An event from an authentication system, or the authentication sub-component of an application or operating system.
Availability An event from a resource-availability monitoring system.
Denial_Of_Service A possible denial-of-service attack has been detected via correlating events seen on the network.
Exploit Indicates the possible exploitation of a known vulnerability in a particular application or operating system.
Honeypot This is an event from a honeypot system. Any connection to them is assumed to be either from a mis-configured system or a malicious source.
Info An informational event, usually without direct significance to security. General system logs often fall into this category.
Inventory An event from an inventory management system, probably the systems built into USM Appliance.
Malware Malware has been detected, either running on a system, being transferred over the network, or communicating with a command-and-control system.
Policy A violation of your company's usage policy has been detected.. This may be in the form of unapproved software installations, Internet services, or security configurations.
Recon A system has been detected scanning other systems on the network.
Suspicious This event represents a log entry that is unusual within the context of the system it originates from.
Voip This is an event from a Voice-Over-IP communication system.
Wireless This is an event from a wireless Ethernet (802.11) device.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.