SecurityCategory is used to standardize security categories across products so one event is not categorized as "malware" and another as a "virus".
| Enums | |
|---|---|
UNKNOWN_CATEGORY
|
The default category. |
SOFTWARE_MALICIOUS
|
Malware, spyware, rootkit. |
SOFTWARE_SUSPICIOUS
|
Below the conviction threshold; probably bad. |
SOFTWARE_PUA
|
Potentially Unwanted App (such as adware). |
NETWORK_MALICIOUS
|
Includes C&C or network exploit. |
NETWORK_SUSPICIOUS
|
Suspicious activity, such as potential reverse tunnel. |
NETWORK_CATEGORIZED_CONTENT
|
Non-security related: URL has category like gambling or porn. |
NETWORK_DENIAL_OF_SERVICE
|
DoS, DDoS. |
NETWORK_RECON
|
Port scan detected by an IDS, probing of web app. |
NETWORK_COMMAND_AND_CONTROL
|
If we know this is a C&C channel. |
ACL_VIOLATION
|
Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. |
AUTH_VIOLATION
|
Authentication failed (e.g. bad password or bad 2-factor authentication). |
EXPLOIT
|
Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. |
DATA_EXFILTRATION
|
DLP: Sensitive data transmission, copy to thumb drive. |
DATA_AT_REST
|
DLP: Sensitive data found at rest in a scan. |
DATA_DESTRUCTION
|
Attempt to destroy/delete data. |
TOR_EXIT_NODE
|
TOR Exit Nodes. |
MAIL_SPAM
|
Spam email, message, etc. |
MAIL_PHISHING
|
Phishing email, chat messages, etc. |
MAIL_SPOOFING
|
Spoofed source email address, etc. |
POLICY_VIOLATION
|
Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). |
SOCIAL_ENGINEERING
|
Threats which manipulate to break normal security procedures. |
PHISHING
|
Phishing pages, pops, https phishing etc. |
