Follow

SIEM Taxonomy Identification

NormShield includes a taxonomy identification number for each SIEM log it produces through the SIEM APIs, denoted with TaxID in API responses.

For vulnerabilities, 200x numbers are chosen according to following classification on vulnerability category types;
 
2001: WebApp
2002: OS
2003: DB
2004: NetSec
2005: Design
2006: AppServer
 
For software bugs, 300x numbers are chosen, 3001 being the only one for all software bugs for now;
 
3001: Software Bugs
 
For alarms, 100x numbers are chosen according to following classification on alarm types;
 
1167: ASN Trace Route Change
1127: Asset Discovery - Finished
1126: Asset Discovery - Started
1119: Brand - Similar Domain
1120: Brand - Social Monitor
1152: Brand - Social Sub Domains
1108: Data Leakage - Creditcard
1123: Data Leakage - Customer Account
1109: Data Leakage - Email
1107: Data Leakage - IP Address
1124: Data Leakage - Sensitive Data
1106: Data Leakage - Suspicious Content
1052: Discovery - New IP Asset Found
1148: DNS Amplification Control
1168: DnsMon - First DNS Scan Completed 
1169: DnsMon - Grade or Issue List Changed
1005: Domain - About to Expire – 15 days
1004: Domain - About to Expire – 45 days
1003: Domain - About to Expire – 90 days
1160: Domain - Expired
1053: Domain - Information Changed
1161: Domain - Monitor Started
1141: Dynamic DNS Url
1154: Firewall Detected
1155: Firewall Status Changed
1024: Fraudulent Domain  - Change of IP Resolved
1018: Fraudulent Domain - Information Change
1019: Fraudulent Domain - Phishing or Malware
1017: Fraudulent Domain - Registration
1125: Fraudulent Domain - Registration/Research
1104: Fraudulent Mobile App
1149: Google Play Market - App Detected
1122: Info Gathering - A Record Changed
1172: Info Gathering - AAAA Record Changed
1165: Info Gathering - CNAME Record Changed
1164: Info Gathering - MX Record Changed
1166: Info Gathering - Name Server Changed
1115: Info Gathering - New Subdomain
1147: Info Gathering - Reverse Whois Lookup
1150: iTunes App Store - App Detected
1054: New Product Detection
1022: Passive Scan - New Possible Vuln
1023: Passive Scan - New Product Detection
1050: Portmap - Critical Port Detected
1058: Portmap - New Ports Opened
1057: Portmap - Ports Closed
1056: Portmap - Ports Opened
1016: Portmap - Service Change
1055: Portmap - SYN Flood Protection Detected
1144: Reputation - Blacklist Detection
1132: Reputation - BlackList Query Result
1153: Reputation - Brand Detected in Malicious Source
1129: Reputation - DNS Query Result
1140: Reputation - Malicious Asset Detected - Premium
1151: Reputation - Malicious Block Possible Bad Reputation
1103: Reputation - Malware Detected
1114: Reputation - Open Proxy Detection
1145: Reputation - Phishing Detection
1118: Reputation - SMTP Blacklist Detection
1136: Reputation - SMTP Query Result
1146: Reputation - Spam Detection
1142: Reputation - Suspicious Content
1170: SmtpMon - First SMTP Scan Completed
1171: SmtpMon - Grade or Issue List Changed 
1111: Social Account - Exceeded Daily Post Limit
1101: Social Account - Malicious Content Identified
1112: Social Account - Picture Changed
1102: Social Media - Suspicious Content Identified
1113: Source Code Leakage - Github
1135: Source Code Leakage - Stackoverflow
1012: SSL Certificate - About to Expire – 15 days
1010: SSL Certificate - About to Expire – 45 days
1009: SSL Certificate - About to Expire – 90 days
1163: SSL Certificate - Grade Monitor Started
1011: SSL Certificate - Information Change
1162: SSL Certificate - Monitor Started
1051: SSL Grade Changed
1105: Uptime Monitor
1128: Virus Total - Malicious Asset
1116: Weakness Gathering - CMS Weakness
1007: Web Asset – Change of IP Resolved
1117: Web Defacement - Suspicious Content
1121: Web Scan - Suspicious Content Identified
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk