Contributed By Lauren Barraco
Open Source Security Event Taxonomy
An overview of classification system for security events in AlienVault USM and OSSIM

The first version of the AlienVault open source security event taxonomy is a classification system based on 20 main categories and 240 subcategories. The 20 main categories are listed below:

  1. Access
  2. Alert
  3. Antivirus
  4. Application
  5. Authentication
  6. Availability
  7. Database
  8. Denial_Of_Service
  9. Exploit
  10. Honeypot
  11. Info
  12. Inventory
  13. Malware
  14. Network
  15. Policy
  16. Recon
  17. Suspicious
  18. System
  19. Voip
  20. Wireless

For advanced users, the entire classification system can be seen below: 

Exploit-Shellcode
Exploit-SQL_Injection
Exploit-Browser
Exploit-ActiveX
Exploit-Command_Execution
Exploit-Cross_Site_Scripting
Exploit-FTP
Exploit-File_Inclusion
Exploit-Windows
Exploit-Directory_Traversal
Exploit-Attack_Response
Exploit-Denial_Of_Service
Exploit-PDF
Exploit-Buffer_Overflow
Exploit-Spoofing
Exploit-Format_String
Exploit-Misc
Exploit-DNS
Exploit-Mail
Exploit-Samba
Exploit-Linux
Authentication-Bruteforce
Authentication-Bypass
Authentication-Login
Authentication-Failed
Authentication-Cleartext
Authentication-Logout
Authentication-Disclosure
Authentication-Default_Credentials
Access-Web_Application_Access
Access-File_Access
Access-Misc
Malware-Spyware
Malware-Adware
Malware-Fake_Antivirus
Malware-KeyLogger
Malware-Trojan
Malware-Virus
Malware-Worm
Malware-Generic
Malware-Backdoor
Policy-Porn
Policy-P2P
Policy-Instant_Messaging_Chat
Policy-Anonymity
Policy-Games
Policy-Other
Denial_Of_Service-Web_Application
Denial_Of_Service-Application
Denial_Of_Service-Flood
Denial_Of_Service-DDoS
Suspicious-Blacklist_Address
Suspicious-Web_Attack_or_Scan
Suspicious-Bad_Traffic
Suspicious-Network_Activity
Suspicious-Scada_Activity
Suspicious-DNS_Activity
Suspicious-SSH_Activity
Suspicious-NFS_Activity
Suspicious-Database_Activity
Suspicious-Netbios_Activity
Suspicious-RPC_Activity
Suspicious-Mail_Activity
Network-TFTP_Activity
Network-FTP_Activity
Network-SNMP_Activity
Network-SMTP_Activity
Network-Telnet_Activity
Recon-Misc
Recon-Scanner
Info-Misc
Network-NTP_Activity
Network-SIP_Activity
Network-DHCP_Activity
Access-Firewall_Permit
Access-Firewall_Deny
Access-ACL_Permit
Access-ACL_Deny
Authentication-Policy_Added
Authentication-Policy_Changed
Authentication-Policy_Deleted
Authentication-FTP_Login_Succeeded
Authentication-FTP_Login_Failed
Authentication-Password_Change_Failed
Authentication-Password_Change_Succeeded
Authentication-User_Created
Authentication-User_Deleted
Authentication-User_Changed
Authentication-Admin_Access
Authentication-Group_Added
Authentication-Group_Deleted
Authentication-Group_Changed
Authentication-Auth_Required
Authentication-Account_Lockout
Authentication-Account_Unlocked
Malware-Virus_Detected
Antivirus-Virus_Detected
Antivirus-Virus_Quarantine
Antivirus-Virus_Quarantine_Failed
System-Configuration_Error
Antivirus-Definitions_Updated
Antivirus-Definitions_Updated_Failed
Antivirus-Unknown_Event
Antivirus-Started
Antivirus-Disabled
Antivirus-Scan_Started
Antivirus-Scan_Finished
Antivirus-Error
Application-Web_Opened
Application-Web_Closed
Application-Web_Reset
Application-Web_Terminated
Application-Web_Denied
Application-Web_Redirected
Application-Web_Proxy
Application-Web_Error
Application-Web_Misc
Application-Web_Not_Found
Access-Traffic_Inbound
Access-Traffic_Outbound
Access-Firewall_Misc_Event
Suspicious-Network_Anomaly
Suspicious-DNS_Protocol_Anomaly
Suspicious-SSH_Protocol_Anomaly
Suspicious-Telnet_Protocol_Anomaly
Suspicious-HTTP_Protocol_Anomaly
Suspicious-Mail_Protocol_Anomaly
Suspicious-FTP_Protocol_Anomaly
Suspicious-Threshold_Exceeded
Denial_Of_Service-Other
Access-File_Blocked
Access-Tunnel_Connection
Access-Tunnel_Closed
System-Warning
System-Emergency
System-Critical
System-Error
System-Notification
System-Information
System-Debug
System-Alert
Access-Connection_Opened
Access-Connection_Closed
Access-Timeout
System-Service_Started
System-Service_Stopped
System-Process_Started
System-Process_Stopped
Application-Spam_Detected
Application-Mail_Dropped
System-Restart
System-Started
System-Stopped
System-Locked
System-Unlocked
Network-IKE_Activity
Network-H.323_Activity
Network-PPP_Activity
Network-OCSP_Activity
Network-L2TP_Activity
Network-RIP_Activity
Network-PPTP_Activity
Network-SSL_Activity
Network-IGMP_Activity
Network-IPSEC_Activity
Network-PKI_Activity
Voip-Call_Started
Voip-Call_Ended
Voip-Misc
Network-BOOTP_Activity
Alert-IDS_Alert
Alert-IPS_Alert
Alert-HostIDS_Alert
Application-Mail_Sent
Application-Mail_Server_Misc
Application-Mail_Received
Availability-State_Up
Availability-State_Down
Availability-State_Critical
Availability-State_Warning
Availability-State_Unknown
Availability-State_Unreachable
Application-VPN_Opened
Application-VPN_Closed
Application-VPN_Denied
Application-VPN_Misc
System-Configuration_Changed
Network-Misc
Policy-Phishing
Wireless-New_Network
Wireless-Client_Associated
Wireless-Flood
Wireless-Disassociation
Wireless-Deauthentication
Wireless-Anomaly
Wireless-Spoofing
Wireless-Scanner_Detected
Wireless-Misc
Wireless-Probe
Inventory-Service_Detected
Inventory-Service_Change
Inventory-Service_Misc
Inventory-Operating_System_Detected
Inventory-Operating_System_Change
Inventory-Operating_System_Misc
Inventory-Mac_Detected
Inventory-Mac_Change
Inventory-Mac_Misc
Policy-Check_Failed
Policy-Check_Passed
Network-High_Load
Authentication-Error
Application-Web_Modified
Authentication-Misc
Application-DHCP_Release
Application-DHCP_Misc
Application-DHCP_Request
Application-DHCP_Lease
Application-DHCP_Pool_Exhausted
Application-DHCP_Error
System-Software_Installed
Honeypot-Connection_Opened
Honeypot-Attack_Detected
Honeypot-Connection_Closed
Honeypot-Misc
Application-DNS_Succesful_Zone_Tranfer
Application-DNS_Zone_Transfer_Failed
Application-DNS_Misc
Application-FTP_Command_Executed
Application-FTP_Error
Application-FTP_Connection_Opened
Application-FTP_Connection_Closed
Application-FTP_Misc
Database-Login
Database-Login_Failed
Database-Query
Database-Logout
Database-Stop
Database-Start
Database-Error
Database-Misc


About The Contributor

Lauren Barraco

Alienvault

Product Marketing Manager

Fpo-spinner Loading Comments

About This Post

Collections