Classification category

Aim :

Put alerts in different (optionals) categories to simplify the work of people supervising.

Description :

Create a new attribute "Category" at the same level as Classification.

Needs to create/find a list of categories (ex : authentication, authorisation, etc.)

Pros :

  • The classification from the agent are not standard so it is difficult for a "non expert" to find it's way. Categories could really help knowing that IDMEF has this "complicated" image.
  • The same event can have different names depending on the agent ("authentication failed", "wrong password", "bad login or password", etc.) eventhough it's obvious it's the same event.
  • Work have been done on that with LogLogic for example (based on IDMEF)

Cons :

  • Needs to find a list of categories
  • Is it always possible to put event in a category (and is there allways only one category per event)

Questions :

Commentaire HD/YV:

- Cette énumération existe déjà dans l'objet IMPACT. Utilisation et amélioration de l'énumération. Voir Enumeration.
- A débattre : possibilité de spécifier plusieurs IMPACT type.