USM Appliance Event Taxonomy

Applies to Product: USM Appliance™ LevelBlue OSSIM®

LevelBlue event taxonomy is a classification system for security events. It provides the USM Appliance correlation engine with a standardized framework of product types, categories, and subcategories on which to operate. Normalizing disparately formatted log entries received from different types of assets into taxonomy's single framework enables the correlation engine to detect patterns of behavior occurring across all managed assets.

LevelBlue event taxonomy is used in conjunction with data sources in the following areas on USM Appliance:

  • Policies — Policy conditions use taxonomy to define the types of events that USM Appliance should process. Event types can be selected using either DS Groups or Taxonomy. See Policy Conditions for a description of taxonomy event types.
  • Correlation Directives — Similar to policies, when creating a new directive, you can use taxonomy to specify the plugins (data sources) that the directive concentrates on.
  • Security Events — Taxonomy information for individual security events is displayed on the event details page. See Review Event Details for more information.

To see a complete list of event taxonomy, go to Configuration > Threat Intelligence > Taxonomy. Click the green plus sign next to each category to display the subcategories.

Screenshot of USM Taxonomy page with category and subcategories highlighted.

Clicking the category or subcategory directly opens a new page displaying all the data sources associated with the category or subcategory respectively.

Displaying data sources associated with the "Alert" category

USM Appliance uses event taxonomy to classify data sources (the product type) and provide further granularity that defines the category and subcategory for each event type.

Go to Configuration > Threat Intelligence > Data Source to view the list of data sources and their product types.

Screenshot of USM Data Source page with Product Type and Details icon highlighted.

Click the details icon icon to view the category and subcategories assigned to the event type:

Screenshot of USM Data Source Details page with Category and Subcategory highlighted.

For a list of product types, categories, and sub categories that comprise the LevelBlue event taxonomy, see Product Types and Categories.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.