High-level event categories
Events in IBM QRadar log sources are grouped into high-level categories. Each event is assigned to a specific high-level category.
Categorizing the incoming events ensures that you can easily search the data.
The following table describes the high-level event categories.
| Category | Category ID | Description |
|---|---|---|
| Recon | 1000 | Events that are related to scanning and other techniques that are used to identify network resources, for example, network or host port scans. |
| DoS | 2000 | Events that are related to denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against services or hosts, for example, brute force network DoS attacks. |
| Authentication | 3000 | Events that are related to authentication controls, group, or privilege change, for example, log in or log out. |
| Access | 4000 | Events resulting from an attempt to access network resources, for example, firewall accept or deny. |
| Exploit | 5000 | Events that are related to application exploits and buffer overflow attempts, for example, buffer overflow or web application exploits. |
| Malware | 6000 | Events that are related to viruses, trojans, back door attacks, or other forms of hostile software. Malware events might include a virus, trojan, malicious software, or spyware. |
| Suspicious Activity | 7000 | The nature of the threat is unknown but behavior is suspicious. The threat might include protocol anomalies that potentially indicate evasive techniques, for example, packet fragmentation or known intrusion detection system (IDS) evasion techniques. |
| System | 8000 | Events that are related to system changes, software installation, or status messages. |
| Policy | 9000 | Events regarding corporate policy violations or misuse. |
| Unknown | 10000 | Events that are related to unknown activity on your system. |
| CRE | 12000 | Events that are generated from an offense or event rule. |
| Potential Exploit | 13000 | Events relate to potential application exploits and buffer overflow attempts. |
| Flow | 14000 | Events that are related to flow actions. |
| User Defined | 15000 | Events that are related to user-defined objects. |
| SIM Audit | 16000 | Events that are related to user interaction with the Console and administrative functions. |
| VIS Host Discovery | 17000 | Events that are related to the host, ports, or vulnerabilities that the VIS component discovers. |
| Application | 18000 | Events that are related to application activity. |
| Audit | 19000 | Events that are related to audit activity. |
| Risk | 20000 | Events that are related to risk activity in IBM QRadar Risk Manager. |
| Risk Manager Audit | 21000 | Events that are related to audit activity in QRadar Risk Manager. |
| Control | 22000 | Events that are related to your hardware system. |
| Asset Profiler | 23000 | Events that are related to asset profiles. |
| Sense | 24000 | Events that are related to UBA. |