SureLog SIEM Taxonomy

SureLog SIEM
2 min readAug 13, 2020

How come SureLog detects things like a failed login from all brands and types of devices. The answer is in the taxonomy it uses.

A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards

Using normalized events and taxonomy categories is highly recommended in correlation because they make the rule easier to modify, maintain and apply to additional log sources.

A Walk Through Logs Hell — Xavier Mertens

With the ability to translates all log types into a single taxonomy, SureLog provides immediate time-to-value in the application of SIEM, meaning customers are empowered to build, manage and effectively transform their businesses through a unified cybersecurity solution

Taxonomy or event categorization is common in SIEM solution. The question is how strong, deep and powerful is your SIEM taxonomy capability?

Almost all SIEM solutions have taxonomies for

· Successful Login

· Failed Login

· UserLogoff

· File Access

· Firewall Drop

· Firewall Accept

· ProcessStart

· ProcessStop

· SystemReboot

· SystemScanStart

· SystemScanStop

· SystemShutdown

· WebAccess

· Session Start

· Session Stop

· User Created

· User Deleted

· DeleteGroup

· DeleteDomainMember

· Password changed

· Account Modified

· Account Expired

· Attack

· Malicious

· VPN connected

· VPN Disconnected

But SureLog has thousands of more taxonomies like :

· MailServiceAccess

· MailServiceDenial

· MailSpamDenial

· ICMP CODE Destination Network Unknown

· UnusualICMPTraffic->ICMP Echo Reply

· UnusualICMPTraffic->ICMP Unassigned

· UnusualICMPTraffic->ICMP Host Unreachable

· UnusualICMPTraffic->ICMP Source Quench

· UnusualICMPTraffic->ICMP Redirect

· UnusualICMPTraffic->ICMP Alternate Host Address

· UnusualICMPTraffic->ICMP Echo Request

· UnusualICMPTraffic->ICMP Router Advertisement

· UnusualICMPTraffic->ICMP Router Selection

· UnusualICMPTraffic->ICMP Time Exceeded

· UnusualICMPTraffic->ICMP Parameter Problem

· MachineAuthTicket

· MachineLogoff

· MachineLogon

· ICMP CODE Alternate Address for Host

· Multicast Router Advertisement

· ICMP CODE Destination Unreachable for Service

· ICMP CODE Destination is Administratively Prohibited

· WebTrafficAudit->Adware

· VirusTrafficAccess->Web Content

· VirusTrafficAccess->Adware

· FileTransferTrafficAudit->Adware

· NamingTrafficAudit->Zone Transfer

· UnusualUDPTraffic->ICMP IPv6 Where-are-you

· UnusualUDPTraffic

· UnusualTCPTraffic

· ApplicationTrafficAudit->Access Denied

· WebTrafficAudit->Header Malformed

· PingOfDeathDenial

· LandAttackDenial

· LinkControlAccess

· LinkControlDenial

· LinkControlTrafficAudit

· MachineAuthAudit

· MachineLogonFailure

· MachineModifyAttribute

· MachineModifyPrivileges

SureLog has more than 1000 taxonomies.

Taxonomy Trends