Skip to main content
Version: Self Hosted Turbo

Classifying SIEM Events

The various events occurring in the system are captured and matched with rules in different severity levels (0-15). The events are also categorized based on the compliance standards supported.

SIEM Rules

The rules are classified in multiple levels, from the lowest (0) to the maximum (15). The following table describes each one, which can be useful to understand the severity of each triggered alert.

LevelTitleDescription
0IgnoredNo action taken. Used to avoid false positives. These rules are scanned before all the others. Include events with no security relevance.
2System low priority notificationSystem notification or status messages. These have no security relevance.
3Successful/Authorized eventsThese include successful login attempts, firewall allow events, etc.
4System low priority errorErrors related to bad configurations or unused devices/applications. These have no security relevance and are usually caused by default installations or software testing.
5User generated errorThese include missed passwords, denied actions, etc. By themselves, these have no security relevance.
6Low relevance attackThese indicate a worm or a virus that have no affect to the system (like code red for apache servers, etc). These also include frequently IDS events and frequently errors.
7"Bad word" matchingThese include words like "bad", "error", etc. These events are most of the time unclassified and may have some security relevance.
8First time seenInclude first time seen events. First time an IDS event is fired or the first time a user logged in. It also includes security relevant actions (like the starting of a sniffer or something like that)
9Error from invalid sourceInclude attempts to login as an unknown user or from an invalid source. May have security relevance(specially if repeated). These also include errors regarding the "admin" (root) account.
10Multiple user generated errorsThese include multiple bad passwords, multiple failed logins, etc. These may indicate at attack or may just be that a user just forgot hi credentials.
11Integrity checking warningThese include messages regarding the modification of binaries or the presence of rootkits (by Rootcheck). These may indicate a successful attack. Also included IDS events that will be ignored (high number of repetitions).
12High importance eventThese include error or warning messages from the system, kernel, etc. These may indicate an attack against a specific application.
13Unusual error (high importance)Most of the times it matches a common attack pattern.
14High importance security eventMost of the times done with correlation and it indicates an attack.
15Severe attackNo chances of false positives. Immediate attention is necessary.