Event categories
Event categories are used to group incoming events for processing by IBM Security QRadar® Log Insights. The event categories are searchable and help you monitor your network.
Events that occur on your network are aggregated into high-level and low-level categories. Each high-level category contains low-level categories and an associated severity level and ID number.
You can review the severity levels that are assigned to events and adjust them to suit your corporate policy needs.
You can run an AQL query by using high-level and low-level event category IDs. The category IDs for the associated category names can be retrieved from the event category tables.
For example, if you are developing applications on QRadar Log Insights, you can run an AQL search similar to the following query from the command line, to gather data from Ariel:
select qidname(qid) as 'Event', username as 'Username', devicetime as 'Time' from events
where '<high-level category ID>' and '<Low-level category
ID>' and LOGSOURCENAME(logsourceid) like "%Low-level category name%"
last 3 days
High-level event categories
Events in IBM Security QRadar Log Insights log sources are grouped into high-level categories. Each event is assigned to a specific high-level category.
Categorizing the incoming events ensures that you can easily search the data.
The following table describes the high-level event categories.
| Category | Category ID | Description |
|---|---|---|
| Recon | 1000 | Events that are related to scanning and other techniques that are used to identify network resources, for example, network or host port scans. |
| DoS | 2000 | Events that are related to denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against services or hosts, for example, brute force network DoS attacks. |
| Authentication | 3000 | Events that are related to authentication controls, group, or privilege change, for example, log in or log out. |
| Access | 4000 | Events resulting from an attempt to access network resources, for example, firewall accept or deny. |
| Exploit | 5000 | Events that are related to application exploits and buffer overflow attempts, for example, buffer overflow or web application exploits. |
| Malware | 6000 | Events that are related to viruses, trojans, back door attacks, or other forms of hostile software. Malware events might include a virus, trojan, malicious software, or spyware. |
| Suspicious Activity | 7000 | The nature of the threat is unknown but behavior is suspicious. The threat might include protocol anomalies that potentially indicate evasive techniques, for example, packet fragmentation or known intrusion detection system (IDS) evasion techniques. |
| System | 8000 | Events that are related to system changes, software installation, or status messages. |
| Policy | 9000 | Events regarding corporate policy violations or misuse. |
| Unknown | 10000 | Events that are related to unknown activity on your system. |
| CRE | 12000 | Events that are generated from an offense or event rule. |
| Potential Exploit | 13000 | Events relate to potential application exploits and buffer overflow attempts. |
| Flow | 14000 | Events that are related to flow actions. |
| User Defined | 15000 | Events that are related to user-defined objects. |
| SIM Audit | 16000 | Events that are related to user interaction with the Console and administrative functions. |
| VIS Host Discovery | 17000 | Events that are related to the host, ports, or vulnerabilities that the VIS component discovers. |
| Application | 18000 | Events that are related to application activity. |
| Audit | 19000 | Events that are related to audit activity. |
| Risk | 20000 | Events that are related to risk activity in IBM® Security Risk Manager. |
| Risk Manager Audit | 21000 | Events that are related to audit activity in Risk Manager. |
| Control | 22000 | Events that are related to your hardware system. |
| Asset Profiler | 23000 | Events that are related to asset profiles. |
| Sense | 24000 | Events that are related to UBA. |
Recon
The Recon category contains events that are related to scanning and other techniques that are used to identify network resources.
The following table describes the low-level event categories and associated severity levels for the Recon category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Form of Recon | 1001 | An unknown form of reconnaissance. | 2 |
| Application Query | 1002 | Reconnaissance to applications on your system. | 3 |
| Host Query | 1003 | Reconnaissance to a host in your network. | 3 |
| Network Sweep | 1004 | Reconnaissance on your network. | 4 |
| Mail Reconnaissance | 1005 | Reconnaissance on your mail system. | 3 |
| Windows Reconnaissance | 1006 | Reconnaissance for Windows operating system. | 3 |
| Portmap / RPC r\Request | 1007 | Reconnaissance on your portmap or RPC request. | 3 |
| Host Port Scan | 1008 | Indicates that a scan occurred on the host ports. | 4 |
| RPC Dump | 1009 | Indicates that Remote Procedure Call (RPC) information is removed. | 3 |
| DNS Reconnaissance | 1010 | Reconnaissance on the DNS server. | 3 |
| Misc Reconnaissance Event | 1011 | Miscellaneous reconnaissance event. | 2 |
| Web Reconnaissance | 1012 | Web reconnaissance on your network. | 3 |
| Database Reconnaissance | 1013 | Database reconnaissance on your network. | 3 |
| ICMP Reconnaissance | 1014 | Reconnaissance on ICMP traffic. | 3 |
| UDP Reconnaissance | 1015 | Reconnaissance on UDP traffic. | 3 |
| SNMP Reconnaissance | 1016 | Reconnaissance on SNMP traffic. | 3 |
| ICMP Host Query | 1017 | Indicates an ICMP host query. | 3 |
| UDP Host Query | 1018 | Indicates a UDP host query. | 3 |
| NMAP Reconnaissance | 1019 | Indicates NMAP reconnaissance. | 3 |
| TCP Reconnaissance | 1020 | Indicates TCP reconnaissance on your network. | 3 |
| UNIX Reconnaissance | 1021 | Reconnaissance on your UNIX network. | 3 |
| FTP Reconnaissance | 1022 | Indicates FTP reconnaissance. | 3 |
DoS
The DoS category contains events that are related to denial-of-service (DoS) attacks against services or hosts.
The following table describes the low-level event categories and associated severity levels for the DoS category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown DoS Attack | 2001 | Indicates an unknown DoS attack. | 8 |
| ICMP DoS | 2002 | Indicates an ICMP DoS attack. | 9 |
| TCP DoS | 2003 | Indicates a TCP DoS attack. | 9 |
| UDP DoS | 2004 | Indicates a UDP DoS attack. | 9 |
| DNS Service DoS | 2005 | Indicates a DNS service DoS attack. | 8 |
| Web Service DoS | 2006 | Indicates a web service DoS attack. | 8 |
| Mail Service DoS | 2007 | Indicates a mail server DoS attack. | 8 |
| Distributed DoS | 2008 | Indicates a distributed DoS attack. | 9 |
| Misc DoS | 2009 | Indicates a miscellaneous DoS attack. | 8 |
| UNIX DoS | 2010 | Indicates a UNIX DoS attack. | 8 |
| Windows DoS | 2011 | Indicates a Windows DoS attack. | 8 |
| Database DoS | 2012 | Indicates a database DoS attack. | 8 |
| FTP DoS | 2013 | Indicates an FTP DoS attack. | 8 |
| Infrastructure DoS | 2014 | Indicates a DoS attack on the infrastructure. | 8 |
| Telnet DoS | 2015 | Indicates a Telnet DoS attack. | 8 |
| Brute Force Login | 2016 | Indicates access to your system through unauthorized methods. | 8 |
| High Rate TCP DoS | 2017 | Indicates a high rate TCP DoS attack. | 8 |
| High Rate UDP DoS | 2018 | Indicates a high rate UDP DoS attack. | 8 |
| High Rate ICMP DoS | 2019 | Indicates a high rate ICMP DoS attack. | 8 |
| High Rate DoS | 2020 | Indicates a high rate DoS attack. | 8 |
| Medium Rate TCP DoS | 2021 | Indicates a medium rate TCP attack. | 8 |
| Medium Rate UDP DoS | 2022 | Indicates a medium rate UDP attack. | 8 |
| Medium Rate ICMP DoS | 2023 | Indicates a medium rate ICMP attack. | 8 |
| Medium Rate DoS | 2024 | Indicates a medium rate DoS attack. | 8 |
| Low Rate TCP DoS | 2025 | Indicates a low rate TCP DoS attack. | 8 |
| Low Rate UDP DoS | 2026 | Indicates a low rate UDP DoS attack. | 8 |
| Low Rate ICMP DoS | 2027 | Indicates a low rate ICMP DoS attack. | 8 |
| Low Rate DoS | 2028 | Indicates a low rate DoS attack. | 8 |
| Distributed High Rate TCP DoS | 2029 | Indicates a distributed high rate TCP DoS attack. | 8 |
| Distributed High Rate UDP DoS | 2030 | Indicates a distributed high rate UDP DoS attack. | 8 |
| Distributed High Rate ICMP DoS | 2031 | Indicates a distributed high rate ICMP DoS attack. | 8 |
| Distributed High Rate DoS | 2032 | Indicates a distributed high rate DoS attack. | 8 |
| Distributed Medium Rate TCP DoS | 2033 | Indicates a distributed medium rate TCP DoS attack. | 8 |
| Distributed Medium Rate UDP DoS | 2034 | Indicates a distributed medium rate UDP DoS attack. | 8 |
| Distributed Medium Rate ICMP DoS | 2035 | Indicates a distributed medium rate ICMP DoS attack. | 8 |
| Distributed Medium Rate DoS | 2036 | Indicates a distributed medium rate DoS attack. | 8 |
| Distributed Low Rate TCP DoS | 2037 | Indicates a distributed low rate TCP DoS attack. | 8 |
| Distributed Low Rate UDP DoS | 2038 | Indicates a distributed low rate UDP DoS attack. | 8 |
| Distributed Low Rate ICMP DoS | 2039 | Indicates a distributed low rate ICMP DoS attack. | 8 |
| Distributed Low Rate DoS | 2040 | Indicates a distributed low rate DoS attack. | 8 |
| High Rate TCP Scan | 2041 | Indicates a high rate TCP scan. | 8 |
| High Rate UDP Scan | 2042 | Indicates a high rate UDP scan. | 8 |
| High Rate ICMP Scan | 2043 | Indicates a high rate ICMP scan. | 8 |
| High Rate Scan | 2044 | Indicates a high rate scan. | 8 |
| Medium Rate TCP Scan | 2045 | Indicates a medium rate TCP scan. | 8 |
| Medium Rate UDP Scan | 2046 | Indicates a medium rate UDP scan. | 8 |
| Medium Rate ICMP Scan | 2047 | Indicates a medium rate ICMP scan. | 8 |
| Medium Rate Scan | 2048 | Indicates a medium rate scan. | 8 |
| Low Rate TCP Scan | 2049 | Indicates a low rate TCP scan. | 8 |
| Low Rate UDP Scan | 2050 | Indicates a low rate UDP scan. | 8 |
| Low Rate ICMP Scan | 2051 | Indicates a low rate ICMP scan. | 8 |
| Low Rate Scan | 2052 | Indicates a low rate scan. | 8 |
| VoIP DoS | 2053 | Indicates a VoIP DoS attack. | 8 |
| Flood | 2054 | Indicates a Flood attack. | 8 |
| TCP Flood | 2055 | Indicates a TCP flood attack. | 8 |
| UDP Flood | 2056 | Indicates a UDP flood attack. | 8 |
| ICMP Flood | 2057 | Indicates an ICMP flood attack. | 8 |
| SYN Flood | 2058 | Indicates a SYN flood attack. | 8 |
| URG Flood | 2059 | Indicates a flood attack with the urgent (URG) flag on. | 8 |
| SYN URG Flood | 2060 | Indicates a SYN flood attack with the urgent (URG) flag on. | 8 |
| SYN FIN Flood | 2061 | Indicates a SYN FIN flood attack. | 8 |
| SYN ACK Flood | 2062 | Indicates a SYN ACK flood attack. | 8 |
Authentication
The authentication category contains events that are related to authentication, sessions, and access controls that monitor users on the network.
The following table describes the low-level event categories and associated severity levels for the authentication category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Authentication | 3001 | Indicates unknown authentication. | 1 |
| Host Login Succeeded | 3002 | Indicates a successful host login. | 1 |
| Host Login Failed | 3003 | Indicates that the host login failed. | 3 |
| Misc Login Succeeded | 3004 | Indicates that the login sequence succeeded. | 1 |
| Misc Login Failed | 3005 | Indicates that login sequence failed. | 3 |
| Privilege Escalation Failed | 3006 | Indicates that the privileged escalation failed. | 3 |
| Privilege Escalation Succeeded | 3007 | Indicates that the privilege escalation succeeded. | 1 |
| Mail Service Login Succeeded | 3008 | Indicates that the mail service login succeeded. | 1 |
| Mail Service Login Failed | 3009 | Indicates that the mail service login failed. | 3 |
| Auth Server Login Failed | 3010 | Indicates that the authentication server login failed. | 3 |
| Auth Server Login Succeeded | 3011 | Indicates that the authentication server login succeeded. | 1 |
| Web Service Login Succeeded | 3012 | Indicates that the web service login succeeded. | 1 |
| Web Service Login Failed | 3013 | Indicates that the web service login failed. | 3 |
| Admin Login Successful | 3014 | Indicates that an administrative login was successful. | 1 |
| Admin Login Failure | 3015 | Indicates the administrative login failed. | 3 |
| Suspicious Username | 3016 | Indicates that a user attempted to access the network by using an incorrect user name. | 4 |
| Login with username/ password defaults successful | 3017 | Indicates that a user accessed the network by using the default user name and password. | 4 |
| Login with username/ password defaults failed | 3018 | Indicates that a user was unsuccessful accessing the network by using the default user name and password. | 4 |
| FTP Login Succeeded | 3019 | Indicates that the FTP login was successful. | 1 |
| FTP Login Failed | 3020 | Indicates that the FTP login failed. | 3 |
| SSH Login Succeeded | 3021 | Indicates that the SSH login was successful. | 1 |
| SSH Login Failed | 3022 | Indicates that the SSH login failed. | 2 |
| User Right Assigned | 3023 | Indicates that user access to network resources was successfully granted. | 1 |
| User Right Removed | 3024 | Indicates that user access to network resources was successfully removed. | 1 |
| Trusted Domain Added | 3025 | Indicates that a trusted domain was successfully added to your deployment. | 1 |
| Trusted Domain Removed | 3026 | Indicates that a trusted domain was removed from your deployment. | 1 |
| System Security Access Granted | 3027 | Indicates that system security access was successfully granted. | 1 |
| System Security Access Removed | 3028 | Indicates that system security access was successfully removed. | 1 |
| Policy Added | 3029 | Indicates that a policy was successfully added. | 1 |
| Policy Change | 3030 | Indicates that a policy was successfully changed. | 1 |
| User Account Added | 3031 | Indicates that a user account was successfully added. | 1 |
| User Account Changed | 3032 | Indicates a change to an existing user account. | 1 |
| Password Change Failed | 3033 | Indicates that an attempt to change an existing password failed. | 3 |
| Password Change Succeeded | 3034 | Indicates that a password change was successful. | 1 |
| User Account Removed | 3035 | Indicates that a user account was successfully removed. | 1 |
| Group Member Added | 3036 | Indicates that a group member was successfully added. | 1 |
| Group Member Removed | 3037 | Indicates that a group member was removed. | 1 |
| Group Added | 3038 | Indicates that a group was successfully added. | 1 |
| Group Changed | 3039 | Indicates a change to an existing group. | 1 |
| Group Removed | 3040 | Indicates that a group was removed. | 1 |
| Computer Account Added | 3041 | Indicates that a computer account was successfully added. | 1 |
| Computer Account Changed | 3042 | Indicates a change to an existing computer account. | 1 |
| Computer Account Removed | 3043 | Indicates that a computer account was successfully removed. | 1 |
| Remote Access Login Succeeded | 3044 | Indicates that access to the network by using a remote login was successful. | 1 |
| Remote Access Login Failed | 3045 | Indicates that an attempt to access the network by using a remote login failed. | 3 |
| General Authentication Successful | 3046 | Indicates that the authentication processes was successful. | 1 |
| General Authentication Failed | 3047 | Indicates that the authentication process failed. | 3 |
| Telnet Login Succeeded | 3048 | Indicates that the telnet login was successful. | 1 |
| Telnet Login Failed | 3049 | Indicates that the telnet login failed. | 3 |
| Suspicious Password | 3050 | Indicates that a user attempted to log in by using a suspicious password. | 4 |
| Samba Login Successful | 3051 | Indicates that a user successfully logged in by using Samba. | 1 |
| Samba Login Failed | 3052 | Indicates a user failed to log in by using Samba. | 3 |
| Auth Server Session Opened | 3053 | Indicates that a communication session with the authentication server was started. | 1 |
| Auth Server Session Closed | 3054 | Indicates that a communication session with the authentication server was closed. | 1 |
| Firewall Session Closed | 3055 | Indicates that a firewall session was closed. | 1 |
| Host Logout | 3056 | Indicates that a host successfully logged out. | 1 |
| Misc Logout | 3057 | Indicates that a user successfully logged out. | 1 |
| Auth Server Logout | 3058 | Indicates that the process to log out of the authentication server was successful. | 1 |
| Web Service Logout | 3059 | Indicates that the process to log out of the web service was successful. | 1 |
| Admin Logout | 3060 | Indicates that the administrative user successfully logged out. | 1 |
| FTP Logout | 3061 | Indicates that the process to log out of the FTP service was successful. | 1 |
| SSH Logout | 3062 | Indicates that the process to log out of the SSH session was successful. | 1 |
| Remote Access Logout | 3063 | Indicates that the process to log out using remote access was successful. | 1 |
| Telnet Logout | 3064 | Indicates that the process to log out of the Telnet session was successful. | 1 |
| Samba Logout | 3065 | Indicates that the process to log out of Samba was successful. | 1 |
| SSH Session Started | 3066 | Indicates that the SSH login session was initiated on a host. | 1 |
| SSH Session Finished | 3067 | Indicates the termination of an SSH login session on a host. | 1 |
| Admin Session Started | 3068 | Indicates that a login session was initiated on a host by an administrative or privileged user. | 1 |
| Admin Session Finished | 3069 | Indicates the termination of an administrator or privileged users login session on a host. | 1 |
| VoIP Login Succeeded | 3070 | Indicates a successful VoIP service login | 1 |
| VoIP Login Failed | 3071 | Indicates an unsuccessful attempt to access VoIP service. | 1 |
| VoIP Logout | 3072 | Indicates a user logout, | 1 |
| VoIP Session Initiated | 3073 | Indicates the beginning of a VoIP session. | 1 |
| VoIP Session Terminated | 3074 | Indicates the end of a VoIP session. | 1 |
| Database Login Succeeded | 3075 | Indicates a successful database login. | 1 |
| Database Login Failure | 3076 | Indicates a database login attempt failed. | 3 |
| IKE Authentication Failed | 3077 | Indicates a failed Internet Key Exchange (IKE) authentication was detected. | 3 |
| IKE Authentication Succeeded | 3078 | Indicates that a successful IKE authentication was detected. | 1 |
| IKE Session Started | 3079 | Indicates that an IKE session started. | 1 |
| IKE Session Ended | 3080 | Indicates that an IKE session ended. | 1 |
| IKE Error | 3081 | Indicates an IKE error message. | 1 |
| IKE Status | 3082 | Indicates IKE status message. | 1 |
| RADIUS Session Started | 3083 | Indicates that a RADIUS session started. | 1 |
| RADIUS Session Ended | 3084 | Indicates a RADIUS session ended. | 1 |
| RADIUS Session Denied | 3085 | Indicates that a RADIUS session was denied. | 1 |
| RADIUS Session Status | 3086 | Indicates a RADIUS session status message. | 1 |
| RADIUS Authentication Failed | 3087 | Indicates a RADIUS authentication failure. | 3 |
| RADIUS Authentication Successful | 3088 | Indicates a RADIUS authentication succeeded. | 1 |
| TACACS Session Started | 3089 | Indicates a TACACS session started. | 1 |
| TACACS Session Ended | 3090 | Indicates a TACACS session ended. | 1 |
| TACACS Session Denied | 3091 | Indicates that a TACACS session was denied. | 1 |
| TACACS Session Status | 3092 | Indicates a TACACS session status message. | 1 |
| TACACS Authentication Successful | 3093 | Indicates a TACACS authentication succeeded. | 1 |
| TACACS Authentication Failed | 3094 | Indicates a TACACS authentication failure. | 1 |
| Deauthenticating Host Succeeded | 3095 | Indicates that the deauthentication of a host was successful. | 1 |
| Deauthenticating Host Failed | 3096 | Indicates that the deauthentication of a host failed. | 3 |
| Station Authentication Succeeded | 3097 | Indicates that the station authentication was successful. | 1 |
| Station Authentication Failed | 3098 | Indicates that the station authentication of a host failed. | 3 |
| Station Association Succeeded | 3099 | Indicates that the station association was successful. | 1 |
| Station Association Failed | 3100 | Indicates that the station association failed. | 3 |
| Station Reassociation Succeeded | 3101 | Indicates that the station reassociation was successful. | 1 |
| Station Reassociation Failed | 3102 | Indicates that the station association failed. | 3 |
| Disassociating Host Succeeded | 3103 | Indicates that the disassociating a host was successful. | 1 |
| Disassociating Host Failed | 3104 | Indicates that the disassociating a host failed. | 3 |
| SA Error | 3105 | Indicates a Security Association (SA) error message. | 5 |
| SA Creation Failure | 3106 | Indicates a Security Association (SA) creation failure. | 3 |
| SA Established | 3107 | Indicates that a Security Association (SA) connection established. | 1 |
| SA Rejected | 3108 | Indicates that a Security Association (SA) connection rejected. | 3 |
| Deleting SA | 3109 | Indicates the deletion of a Security Association (SA). | 1 |
| Creating SA | 3110 | Indicates the creation of a Security Association (SA). | 1 |
| Certificate Mismatch | 3111 | Indicates a certificate mismatch. | 3 |
| Credentials Mismatch | 3112 | Indicates a credentials mismatch. | 3 |
| Admin Login Attempt | 3113 | Indicates an admin login attempt. | 2 |
| User Login Attempt | 3114 | Indicates a user login attempt. | 2 |
| User Login Successful | 3115 | Indicates a successful user login. | 1 |
| User Login Failure | 3116 | Indicates a failed user login. | 3 |
| SFTP Login Succeeded | 3117 | Indicates a successful SSH File Transfer Protocol (SFTP) login. | 1 |
| SFTP Login Failed | 3118 | Indicates a failed SSH File Transfer Protocol (SFTP) login. | 3 |
| SFTP Logout | 3119 | Indicates an SSH File Transfer Protocol (SFTP) logout. | 1 |
| Identity Granted | 3120 | Indicates that an identity was granted. | 1 |
| Identity Removed | 3121 | Indicates that an identity was removed. | 1 |
| Identity Revoked | 3122 | Indicates that an identity was revoked. | 1 |
| Policy Removed | 3123 | Indicates that a policy was removed. | 1 |
| User Account Lock | 3124 | Indicates that a user account was locked. | 1 |
| User Account Unlock | 3125 | Indicates that a user account was unlocked | 1 |
| User Account Expired | 3126 | Indicates that a user account is expired | 1 |
Access
The access category contains authentication and access controls that are used for monitoring network events.
The following table describes the low-level event categories and associated severity levels for the access category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Network Communication Event | 4001 | Indicates an unknown network communication event. | 3 |
| Firewall Permit | 4002 | Indicates that access to the firewall was allowed. | 0 |
| Firewall Deny | 4003 | Indicates that access to the firewall was denied. | 4 |
| Flow Context Response (QRadar SIEM only) | 4004 | Indicates events from the Classification Engine in response to a SIM request. | 5 |
| Misc Network Communication Event | 4005 | Indicates a miscellaneous communications event. | 3 |
| IPS Deny | 4006 | Indicates Intrusion Prevention Systems (IPS) denied traffic. | 4 |
| Firewall Session Opened | 4007 | Indicates that the firewall session was opened. | 0 |
| Firewall Session Closed | 4008 | Indicates that the firewall session was closed. | 0 |
| Dynamic Address Translation Successful | 4009 | Indicates that dynamic address translation was successful. | 0 |
| No Translation Group Found | 4010 | Indicates that no translation group was found. | 2 |
| Misc Authorization | 4011 | Indicates that access was granted to a miscellaneous authentication server. | 2 |
| ACL Permit | 4012 | Indicates that an Access Control List (ACL) allowed access. | 0 |
| ACL Deny | 4013 | Indicates that an Access Control List (ACL) denied access. | 4 |
| Access Permitted | 4014 | Indicates that access was allowed. | 0 |
| Access Denied | 4015 | Indicates that access was denied. | 4 |
| Session Opened | 4016 | Indicates that a session was opened. | 1 |
| Session Closed | 4017 | Indicates that a session was closed. | 1 |
| Session Reset | 4018 | Indicates that a session was reset. | 3 |
| Session Terminated | 4019 | Indicates that a session was allowed. | 4 |
| Session Denied | 4020 | Indicates that a session was denied. | 5 |
| Session in Progress | 4021 | Indicates that a session is in progress. | 1 |
| Session Delayed | 4022 | Indicates that a session was delayed. | 3 |
| Session Queued | 4023 | Indicates that a session was queued. | 1 |
| Session Inbound | 4024 | Indicates that a session is inbound. | 1 |
| Session Outbound | 4025 | Indicates that a session is outbound. | 1 |
| Unauthorized Access Attempt | 4026 | Indicates that an unauthorized access attempt was detected. | 6 |
| Misc Application Action Allowed | 4027 | Indicates that an application action was allowed. | 1 |
| Misc Application Action Denied | 4028 | Indicates that an application action was denied. | 3 |
| Database Action Allowed | 4029 | Indicates that a database action was allowed. | 1 |
| Database Action Denied | 4030 | Indicates that a database action was denied. | 3 |
| FTP Action Allowed | 4031 | Indicates that an FTP action was allowed. | 1 |
| FTP Action Denied | 4032 | Indicates that an FTP action was denied. | 3 |
| Object Cached | 4033 | Indicates that an object was cached. | 1 |
| Object Not Cached | 4034 | Indicates that an object was not cached. | 1 |
| Rate Limiting | 4035 | Indicates that the network rate-limits traffic. | 4 |
| No Rate Limiting | 4036 | Indicates that the network does not rate-limit traffic. | 0 |
| P11 Access Permitted | 4037 | Indicates that P11 access is permitted. | 8 |
| P11 Access Denied | 4038 | Indicates that P11 access was attempted and denied. | 8 |
| IPS Permit | 4039 | Indicates an IPS permit. | 0 |
Exploit
The exploit category contains events where a communication or an access exploit occurred.
The following table describes the low-level event categories and associated severity levels for the exploit category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Exploit Attack | 5001 | Indicates an unknown exploit attack. | 9 |
| Buffer Overflow | 5002 | Indicates a buffer overflow. | 9 |
| DNS Exploit | 5003 | Indicates a DNS exploit. | 9 |
| Telnet Exploit | 5004 | Indicates a Telnet exploit. | 9 |
| Linux® Exploit | 5005 | Indicates a Linux exploit. | 9 |
| UNIX Exploit | 5006 | Indicates a UNIX exploit. | 9 |
| Windows Exploit | 5007 | Indicates a Microsoft Windows exploit. | 9 |
| Mail Exploit | 5008 | Indicates a mail server exploit. | 9 |
| Infrastructure Exploit | 5009 | Indicates an infrastructure exploit. | 9 |
| Misc Exploit | 5010 | Indicates a miscellaneous exploit. | 9 |
| Web Exploit | 5011 | Indicates a web exploit. | 9 |
| Session Hijack | 5012 | Indicates that a session in your network was interceded. | 9 |
| Worm Active | 5013 | Indicates an active worm. | 10 |
| Password Guess/Retrieve | 5014 | Indicates that a user requested access to their password information from the database. | 9 |
| FTP Exploit | 5015 | Indicates an FTP exploit. | 9 |
| RPC Exploit | 5016 | Indicates an RPC exploit. | 9 |
| SNMP Exploit | 5017 | Indicates an SNMP exploit. | 9 |
| NOOP Exploit | 5018 | Indicates an NOOP exploit. | 9 |
| Samba Exploit | 5019 | Indicates a Samba exploit. | 9 |
| SSH Exploit | 5020 | Indicates an SSH exploit. | 9 |
| Database Exploit | 5021 | Indicates a database exploit. | 9 |
| ICMP Exploit | 5022 | Indicates an ICMP exploit. | 9 |
| UDP Exploit | 5023 | Indicates a UDP exploit. | 9 |
| Browser Exploit | 5024 | Indicates an exploit on your browser. | 9 |
| DHCP Exploit | 5025 | Indicates a DHCP exploit | 9 |
| Remote Access Exploit | 5026 | Indicates a remote access exploit | 9 |
| ActiveX Exploit | 5027 | Indicates an exploit through an ActiveX application. | 9 |
| SQL Injection | 5028 | Indicates that an SQL injection occurred. | 9 |
| Cross-Site Scripting | 5029 | Indicates a cross-site scripting vulnerability. | 9 |
| Format String Vulnerability | 5030 | Indicates a format string vulnerability. | 9 |
| Input Validation Exploit | 5031 | Indicates that an input validation exploit attempt was detected. | 9 |
| Remote Code Execution | 5032 | Indicates that a remote code execution attempt was detected. | 9 |
| Memory Corruption | 5033 | Indicates that a memory corruption exploit was detected. | 9 |
| Command Execution | 5034 | Indicates that a remote command execution attempt was detected. | 9 |
| Code Injection | 5035 | Indicates that a code injection was detected. | 9 |
| Replay Attack | 5036 | Indicates that a replay attack was detected. | 9 |
Malware
The malicious software (malware) category contains events that are related to application exploits and buffer overflow attempts.
The following table describes the low-level event categories and associated severity levels for the malware category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Malware | 6001 | Indicates an unknown virus. | 4 |
| Backdoor Detected | 6002 | Indicates that a back door to the system was detected. | 9 |
| Hostile Mail Attachment | 6003 | Indicates a hostile mail attachment. | 6 |
| Malicious Software | 6004 | Indicates a virus. | 6 |
| Hostile Software Download | 6005 | Indicates a hostile software download to your network. | 6 |
| Virus Detected | 6006 | Indicates that a virus was detected. | 8 |
| Misc Malware | 6007 | Indicates miscellaneous malicious software | 4 |
| Trojan Detected | 6008 | Indicates that a trojan was detected. | 7 |
| Spyware Detected | 6009 | Indicates that spyware was detected on your system. | 6 |
| Content Scan | 6010 | Indicates that an attempted scan of your content was detected. | 3 |
| Content Scan Failed | 6011 | Indicates that a scan of your content failed. | 8 |
| Content Scan Successful | 6012 | Indicates that a scan of your content was successful. | 3 |
| Content Scan in Progress | 6013 | Indicates that a scan of your content is in progress. | 3 |
| Keylogger | 6014 | Indicates that a key logger was detected. | 7 |
| Adware Detected | 6015 | Indicates that Ad-Ware was detected. | 4 |
| Quarantine Successful | 6016 | Indicates that a quarantine action successfully completed. | 3 |
| Quarantine Failed | 6017 | Indicates that a quarantine action failed. | 8 |
| Malware Infection | 6018 | Indicates that a malware infection was detected. | 10 |
| Remove Successful | 6019 | Indicates that the removal was successful. | 3 |
| Remove Failed | 6020 | Indicates that the removal failed. | 8 |
Suspicious Activity
The suspicious category contains events that are related to viruses, trojans, back door attacks, and other forms of hostile software.
The following table describes the low-level event categories and associated severity levels for the suspicious activity category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Suspicious Event | 7001 | Indicates an unknown suspicious event. | 3 |
| Suspicious Pattern Detected | 7002 | Indicates that a suspicious pattern was detected. | 3 |
| Content Modified By Firewall | 7003 | Indicates that content was modified by the firewall. | 3 |
| Invalid Command or Data | 7004 | Indicates an invalid command or data. | 3 |
| Suspicious Packet | 7005 | Indicates a suspicious packet. | 3 |
| Suspicious Activity | 7006 | Indicates suspicious activity. | 3 |
| Suspicious File Name | 7007 | Indicates a suspicious file name. | 3 |
| Suspicious Port Activity | 7008 | Indicates suspicious port activity. | 3 |
| Suspicious Routing | 7009 | Indicates suspicious routing. | 3 |
| Potential Web Vulnerability | 7010 | Indicates potential web vulnerability. | 3 |
| Unknown Evasion Event | 7011 | Indicates an unknown evasion event. | 5 |
| IP Spoof | 7012 | Indicates an IP spoof. | 5 |
| IP Fragmentation | 7013 | Indicates IP fragmentation. | 3 |
| Overlapping IP Fragments | 7014 | Indicates overlapping IP fragments. | 5 |
| IDS Evasion | 7015 | Indicates an IDS evasion. | 5 |
| DNS Protocol Anomaly | 7016 | Indicates a DNS protocol anomaly. | 3 |
| FTP Protocol Anomaly | 7017 | Indicates an FTP protocol anomaly. | 3 |
| Mail Protocol Anomaly | 7018 | Indicates a mail protocol anomaly. | 3 |
| Routing Protocol Anomaly | 7019 | Indicates a routing protocol anomaly. | 3 |
| Web Protocol Anomaly | 7020 | Indicates a web protocol anomaly. | 3 |
| SQL Protocol Anomaly | 7021 | Indicates an SQL protocol anomaly. | 3 |
| Executable Code Detected | 7022 | Indicates that an executable code was detected. | 5 |
| Misc Suspicious Event | 7023 | Indicates a miscellaneous suspicious event. | 3 |
| Information Leak | 7024 | Indicates an information leak. | 1 |
| Potential Mail Vulnerability | 7025 | Indicates a potential vulnerability in the mail server. | 4 |
| Potential Version Vulnerability | 7026 | Indicates a potential vulnerability in the IBM QRadar version. | 4 |
| Potential FTP Vulnerability | 7027 | Indicates a potential FTP vulnerability. | 4 |
| Potential SSH Vulnerability | 7028 | Indicates a potential SSH vulnerability. | 4 |
| Potential DNS Vulnerability | 7029 | Indicates a potential vulnerability in the DNS server. | 4 |
| Potential SMB Vulnerability | 7030 | Indicates a potential SMB (Samba) vulnerability. | 4 |
| Potential Database Vulnerability | 7031 | Indicates a potential vulnerability in the database. | 4 |
| IP Protocol Anomaly | 7032 | Indicates a potential IP protocol anomaly | 3 |
| Suspicious IP Address | 7033 | Indicates that a suspicious IP address was detected. | 2 |
| Invalid IP Protocol Usage | 7034 | Indicates an invalid IP protocol. | 2 |
| Invalid Protocol | 7035 | Indicates an invalid protocol. | 4 |
| Suspicious Window Events | 7036 | Indicates a suspicious event with a screen on your desktop. | 2 |
| Suspicious ICMP Activity | 7037 | Indicates suspicious ICMP activity. | 2 |
| Potential NFS Vulnerability | 7038 | Indicates a potential network file system (NFS) vulnerability. | 4 |
| Potential NNTP Vulnerability | 7039 | Indicates a potential Network News Transfer Protocol (NNTP) vulnerability. | 4 |
| Potential RPC Vulnerability | 7040 | Indicates a potential RPC vulnerability. | 4 |
| Potential Telnet Vulnerability | 7041 | Indicates a potential Telnet vulnerability on your system. | 4 |
| Potential SNMP Vulnerability | 7042 | Indicates a potential SNMP vulnerability. | 4 |
| Illegal TCP Flag Combination | 7043 | Indicates that an invalid TCP flag combination was detected. | 5 |
| Suspicious TCP Flag Combination | 7044 | Indicates that a potentially invalid TCP flag combination was detected. | 4 |
| Illegal ICMP Protocol Usage | 7045 | Indicates that an invalid use of the ICMP protocol was detected. | 5 |
| Suspicious ICMP Protocol Usage | 7046 | Indicates that a potentially invalid use of the ICMP protocol was detected. | 4 |
| Illegal ICMP Type | 7047 | Indicates that an invalid ICMP type was detected. | 5 |
| Illegal ICMP Code | 7048 | Indicates that an invalid ICMP code was detected. | 5 |
| Suspicious ICMP Type | 7049 | Indicates that a potentially invalid ICMP type was detected. | 4 |
| Suspicious ICMP Code | 7050 | Indicates that a potentially invalid ICMP code was detected. | 4 |
| TCP port 0 | 7051 | Indicates a TCP packet uses a reserved port (0) for source or destination. | 4 |
| UDP port 0 | 7052 | Indicates a UDP packet uses a reserved port (0) for source or destination. | 4 |
| Hostile IP | 7053 | Indicates the use of a known hostile IP address. | 4 |
| Watch list IP | 7054 | Indicates the use of an IP address from a watch list of IP addresses. | 4 |
| Known offender IP | 7055 | Indicates the use of an IP address of a known offender. | 4 |
| RFC 1918 (private) IP | 7056 | Indicates the use of an IP address from a private IP address range. | 4 |
| Potential VoIP Vulnerability | 7057 | Indicates a potential VoIP vulnerability. | 4 |
| Blacklist Address | 7058 | Indicates that an IP address is on the block list. | 8 |
| Watchlist Address | 7059 | Indicates that the IP address is on the list of IP addresses being monitored. | 7 |
| Darknet Address | 7060 | Indicates that the IP address is part of a darknet. | 5 |
| Botnet Address | 7061 | Indicates that the address is part of a botnet. | 7 |
| Suspicious Address | 7062 | Indicates that the IP address must be monitored. | 5 |
| Bad Content | 7063 | Indicates that bad content was detected. | 7 |
| Invalid Cert | 7064 | Indicates that an invalid certificate was detected. | 7 |
| User Activity | 7065 | Indicates that user activity was detected. | 7 |
| Suspicious Protocol Usage | 7066 | Indicates that suspicious protocol usage was detected. | 5 |
| Suspicious BGP Activity | 7067 | Indicates that suspicious Border Gateway Protocol (BGP) usage was detected. | 5 |
| Route Poisoning | 7068 | Indicates that route corruption was detected. | 5 |
| ARP Poisoning | 7069 | Indicates that ARP-cache poisoning was detected. | 5 |
| Rogue Device Detected | 7070 | Indicates that a rogue device was detected. | 5 |
| Government Agency Address | 7071 | Indicates that a government agency address was detected. | 3 |
System
The system category contains events that are related to system changes, software installation, or status messages.
The following table describes the low-level event categories and associated severity levels for the system category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown System Event | 8001 | Indicates an unknown system event. | 1 |
| System Boot | 8002 | Indicates a system restart. | 1 |
| System Configuration | 8003 | Indicates a change in the system configuration. | 1 |
| System Halt | 8004 | Indicates that the system was halted. | 1 |
| System Failure | 8005 | Indicates a system failure. | 6 |
| System Status | 8006 | Indicates any information event. | 1 |
| System Error | 8007 | Indicates a system error. | 3 |
| Misc System Event | 8008 | Indicates a miscellaneous system event. | 1 |
| Service Started | 8009 | Indicates that system services started. | 1 |
| Service Stopped | 8010 | Indicates that system services stopped. | 1 |
| Service Failure | 8011 | Indicates a system failure. | 6 |
| Successful Registry Modification | 8012 | Indicates that a modification to the registry was successful. | 1 |
| Successful Host-Policy Modification | 8013 | Indicates that a modification to the host policy was successful. | 1 |
| Successful File Modification | 8014 | Indicates that a modification to a file was successful. | 1 |
| Successful Stack Modification | 8015 | Indicates that a modification to the stack was successful. | 1 |
| Successful Application Modification | 8016 | Indicates that a modification to the application was successful. | 1 |
| Successful Configuration Modification | 8017 | Indicates that a modification to the configuration was successful. | 1 |
| Successful Service Modification | 8018 | Indicates that a modification to a service was successful. | 1 |
| Failed Registry Modification | 8019 | Indicates that a modification to the registry failed. | 1 |
| Failed Host-Policy Modification | 8020 | Indicates that a modification to the host policy failed. | 1 |
| Failed File Modification | 8021 | Indicates that a modification to a file failed. | 1 |
| Failed Stack Modification | 8022 | Indicates that a modification to the stack failed. | 1 |
| Failed Application Modification | 8023 | Indicates that a modification to an application failed. | 1 |
| Failed Configuration Modification | 8024 | Indicates that a modification to the configuration failed. | 1 |
| Failed Service Modification | 8025 | Indicates that a modification to the service failed. | 1 |
| Registry Addition | 8026 | Indicates that a new item was added to the registry. | 1 |
| Host-Policy Created | 8027 | Indicates that a new entry was added to the registry. | 1 |
| File Created | 8028 | Indicates that a new was created in the system. | 1 |
| Application Installed | 8029 | Indicates that a new application was installed on the system. | 1 |
| Service Installed | 8030 | Indicates that a new service was installed on the system. | 1 |
| Registry Deletion | 8031 | Indicates that a registry entry was deleted. | 1 |
| Host-Policy Deleted | 8032 | Indicates that a host policy entry was deleted. | 1 |
| File Deleted | 8033 | Indicates that a file was deleted. | 1 |
| Application Uninstalled | 8034 | Indicates that an application was uninstalled. | 1 |
| Service Uninstalled | 8035 | Indicates that a service was uninstalled. | 1 |
| System Informational | 8036 | Indicates system information. | 3 |
| System Action Allow | 8037 | Indicates that an attempted action on the system was authorized. | 3 |
| System Action Deny | 8038 | Indicates that an attempted action on the system was denied. | 4 |
| Cron | 8039 | Indicates a crontab message. | 1 |
| Cron Status | 8040 | Indicates a crontab status message. | 1 |
| Cron Failed | 8041 | Indicates a crontab failure message. | 4 |
| Cron Successful | 8042 | Indicates a crontab success message. | 1 |
| Daemon | 8043 | Indicates a daemon message. | 1 |
| Daemon Status | 8044 | Indicates a daemon status message. | 1 |
| Daemon Failed | 8045 | Indicates a daemon failure message. | 4 |
| Daemon Successful | 8046 | Indicates a daemon success message. | 1 |
| Kernel | 8047 | Indicates a kernel message. | 1 |
| Kernel Status | 8048 | Indicates a kernel status message. | 1 |
| Kernel Failed | 8049 | Indicates a kernel failure message. | |
| Kernel Successful | 8050 | Indicates a kernel successful message. | 1 |
| Authentication | 8051 | Indicates an authentication message. | 1 |
| Information | 8052 | Indicates an informational message. | 2 |
| Notice | 8053 | Indicates a notice message. | 3 |
| Warning | 8054 | Indicates a warning message. | 5 |
| Error | 8055 | Indicates an error message. | 7 |
| Critical | 8056 | Indicates a critical message. | 9 |
| Debug | 8057 | Indicates a debug message. | 1 |
| Messages | 8058 | Indicates a generic message. | 1 |
| Privilege Access | 8059 | Indicates that privilege access was attempted. | 3 |
| Alert | 8060 | Indicates an alert message. | 9 |
| Emergency | 8061 | Indicates an emergency message. | 9 |
| SNMP Status | 8062 | Indicates an SNMP status message. | 1 |
| FTP Status | 8063 | Indicates an FTP status message. | 1 |
| NTP Status | 8064 | Indicates an NTP status message. | 1 |
| Access Point Radio Failure | 8065 | Indicates an access point radio failure. | 3 |
| Encryption Protocol Configuration Mismatch | 8066 | Indicates an encryption protocol configuration mismatch. | 3 |
| Client Device or Authentication Server Misconfigured | 8067 | Indicates that a client device or authentication server was not configured properly. | 5 |
| Hot Standby Enable Failed | 8068 | Indicates a hot standby enable failure. | 5 |
| Hot Standby Disable Failed | 8069 | Indicates a hot standby disable failure. | 5 |
| Hot Standby Enabled Successfully | 8070 | Indicates that hot standby was enabled successfully. | 1 |
| Hot Standby Association Lost | 8071 | Indicates that a hot standby association was lost. | 5 |
| MainMode Initiation Failure | 8072 | Indicates MainMode initiation failure. | 5 |
| MainMode Initiation Succeeded | 8073 | Indicates that the MainMode initiation was successful. | 1 |
| MainMode Status | 8074 | Indicates a MainMode status message was reported. | 1 |
| QuickMode Initiation Failure | 8075 | Indicates that the QuickMode initiation failed. | 5 |
| Quickmode Initiation Succeeded | 8076 | Indicates that the QuickMode initiation was successful. | 1 |
| Quickmode Status | 8077 | Indicates a QuickMode status message was reported. | 1 |
| Invalid License | 8078 | Indicates an invalid license. | 3 |
| License Expired | 8079 | Indicates an expired license. | 3 |
| New License Applied | 8080 | Indicates a new license applied. | 1 |
| License Error | 8081 | Indicates a license error. | 5 |
| License Status | 8082 | Indicates a license status message. | 1 |
| Configuration Error | 8083 | Indicates that a configuration error was detected. | 5 |
| Service Disruption | 8084 | Indicates that a service disruption was detected. | 5 |
| EPS or FPM allocation exceeded | 8085 | Indicates that the license pool allocations for EPS or FPM were exceeded. | 3 |
| Performance Status | 8086 | Indicates that the performance status was reported. | 1 |
| Performance Degradation | 8087 | Indicates that the performance is being degraded. | 4 |
| Misconfiguration | 8088 | Indicates that an incorrect configuration was detected. | 5 |
Policy
The policy category contains events that are related to administration of network policy and the monitoring network resources for policy violations.
The following table describes the low-level event categories and associated severity levels for the policy category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Policy Violation | 9001 | Indicates an unknown policy violation. | 2 |
| Web Policy Violation | 9002 | Indicates a web policy violation. | 2 |
| Remote Access Policy Violation | 9003 | Indicates a remote access policy violation. | 2 |
| IRC/IM Policy Violation | 9004 | Indicates an instant messenger policy violation. | 2 |
| P2P Policy Violation | 9005 | Indicates a Peer-to-Peer (P2P) policy violation. | 2 |
| IP Access Policy Violation | 9006 | Indicates an IP access policy violation. | 2 |
| Application Policy Violation | 9007 | Indicates an application policy violation. | 2 |
| Database Policy Violation | 9008 | Indicates a database policy violation. | 2 |
| Network Threshold Policy Violation | 9009 | Indicates a network threshold policy violation. | 2 |
| Porn Policy Violation | 9010 | Indicates a porn policy violation. | 2 |
| Games Policy Violation | 9011 | Indicates a games policy violation. | 2 |
| Misc Policy Violation | 9012 | Indicates a miscellaneous policy violation. | 2 |
| Compliance Policy Violation | 9013 | Indicates a compliance policy violation. | 2 |
| Mail Policy Violation | 9014 | Indicates a mail policy violation. | 2 |
| IRC Policy Violation | 9015 | Indicates an IRC policy violation | 2 |
| IM Policy Violation | 9016 | Indicates a policy violation that is related to instant message (IM) activities. | 2 |
| VoIP Policy Violation | 9017 | Indicates a VoIP policy violation | 2 |
| Succeeded | 9018 | Indicates a policy successful message. | 1 |
| Failed | 9019 | Indicates a policy failure message. | 4 |
| Data Loss Prevention Policy Violation | 9020 | Indicates a data loss prevention policy violation. | 2 |
| Watchlist Object | 9021 | Indicates a watchlist object. | 2 |
| Web Policy Allow | 9022 | Indicates a new web policy allowance. | 1 |
Unknown
The Unknown category contains events that are not parsed and therefore cannot be categorized.
The following table describes the low-level event categories and associated severity levels for the Unknown category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown | 10001 | Indicates an unknown event. | 3 |
| Unknown Snort Event | 10002 | Indicates an unknown Snort event. | 3 |
| Unknown Dragon Event | 10003 | Indicates an unknown Dragon event. | 3 |
| Unknown Pix Firewall Event | 10004 | Indicates an unknown Cisco Private Internet Exchange (PIX) Firewall event. | 3 |
| Unknown Tipping Point Event | 10005 | Indicates an unknown HP TippingPoint event. | 3 |
| Unknown Windows Auth Server Event | 10006 | Indicates an unknown Windows Auth Server event. | 3 |
| Unknown Nortel Event | 10007 | Indicates an unknown Nortel event. | 3 |
| Stored | 10009 | Indicates an unknown stored event. | 3 |
| Behavioral | 11001 | Indicates an unknown behavioral event. | 3 |
| Threshold | 11002 | Indicates an unknown threshold event. | 3 |
| Anomaly | 11003 | Indicates an unknown anomaly event. | 3 |
CRE
The custom rule event (CRE) category contains events that are generated from a custom offense, flow, or eventan event rule.
The following table describes the low-level event categories and associated severity levels for the CRE category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown CRE Event | 12001 | Indicates an unknown custom rules engine event. | 5 |
| Single Event Rule Match | 12002 | Indicates a single event rule match. | 5 |
| Event Sequence Rule Match | 12003 | Indicates an event sequence rule match. | 5 |
| Cross-Offense Event Sequence Rule Match | 12004 | Indicates a cross-offense event sequence rule match. | 5 |
| Offense Rule Match | 12005 | Indicates an offense rule match. | 5 |
Potential Exploit
The potential exploit category contains events that are related to potential application exploits and buffer overflow attempts.
The following table describes the low-level event categories and associated severity levels for the potential exploit category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Potential Exploit Attack | 13001 | Indicates that a potential exploitative attack was detected. | 7 |
| Potential Buffer Overflow | 13002 | Indicates that a potential buffer overflow was detected. | 7 |
| Potential DNS Exploit | 13003 | Indicates that a potentially exploitative attack through the DNS server was detected. | 7 |
| Potential Telnet Exploit | 13004 | Indicates that a potentially exploitative attack through Telnet was detected. | 7 |
| Potential Linux Exploit | 13005 | Indicates that a potentially exploitative attack through Linux was detected. | 7 |
| Potential UNIX Exploit | 13006 | Indicates that a potentially exploitative attack through UNIX was detected. | 7 |
| Potential Windows Exploit | 13007 | Indicates that a potentially exploitative attack through Windows was detected. | 7 |
| Potential Mail Exploit | 13008 | Indicates that a potentially exploitative attack through mail was detected. | 7 |
| Potential Infrastructure Exploit | 13009 | Indicates that a potential exploitative attack on the system infrastructure was detected. | 7 |
| Potential Misc Exploit | 13010 | Indicates that a potentially exploitative attack was detected. | 7 |
| Potential Web Exploit | 13011 | Indicates that a potentially exploitative attack through the web was detected. | 7 |
| Potential Botnet Connection | 13012 | Indicates a potentially exploitative attack that uses botnet was detected. | 6 |
| Potential Worm Activity | 13013 | Indicates a potential attack that uses worm activity was detected. | 6 |
Flow
The flow category includes events that are related to flow actions.
The following table describes the low-level event categories and associated severity levels for the flow category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unidirectional Flow | 14001 | Indicates a unidirectional flow of events. | 5 |
| Low number of Unidirectional Flows | 14002 | Indicates a low number of unidirectional flows of events. | 5 |
| Medium number of Unidirectional Flows | 14003 | Indicates a medium number of unidirectional flows of events. | 5 |
| High number of Unidirectional Flows | 14004 | Indicates a high number of unidirectional flows of events. | 5 |
| Unidirectional TCP Flow | 14005 | Indicates a unidirectional TCP flow. | 5 |
| Low number of Unidirectional TCP Flows | 14006 | Indicates a low number of unidirectional TCP flows. | 5 |
| Medium number of Unidirectional TCP Flows | 14007 | Indicates a medium number of unidirectional TCP flows. | 5 |
| High number of Unidirectional TCP Flows | 14008 | Indicates a high number of unidirectional TCP flows. | 5 |
| Unidirectional ICMP Flow | 14009 | Indicates a unidirectional ICMP flow. | 5 |
| Low number of Unidirectional ICMP Flows | 14010 | Indicates a low number of unidirectional ICMP flows. | 5 |
| Medium number of Unidirectional ICMP Flows | 14011 | Indicates a medium number of unidirectional ICMP flows. | 5 |
| High number if Unidirectional ICMP Flows | 14012 | Indicates a high number of unidirectional ICMP flows. | 5 |
| Suspicious ICMP Flow | 14013 | Indicates a suspicious ICMP flow. | 5 |
| Suspicious UDP Flow | 14014 | Indicates a suspicious UDP flow. | 5 |
| Suspicious TCP Flow | 14015 | Indicates a suspicious TCP flow. | 5 |
| Suspicious Flow | 14016 | Indicates a suspicious flow. | 5 |
| Empty Packet Flows | 14017 | Indicates empty packet flows. | 5 |
| Low number of Empty Packet Flows | 14018 | Indicates a low number of empty packet flows. | 5 |
| Medium number of Empty Packet Flows | 14019 | Indicates a medium number of empty packet flows. | 5 |
| High number of Empty Packet Flows | 14020 | Indicates a high number of empty packet flows. | 5 |
| Large Payload Flows | 14021 | Indicates a large payload of flows. | 5 |
| Low number of Large Payload Flows | 14022 | Indicates a low number of large payload flows. | 5 |
| Medium number of Large Payload Flows | 14023 | Indicates a medium number of large payload flows. | 5 |
| High number of Large Payload Flows | 14024 | Indicates a high number of large payload flows. | 5 |
| One Attacker to Many Target Flows | 14025 | Indicates that one attacker is targeting many flows. | 5 |
| Many Attacker to one Target Flow | 14026 | Indicates that many attackers are targeting one flow. | 5 |
| Unknown Flow | 14027 | Indicates an unknown flow. | 5 |
| Netflow Record | 14028 | Indicates a Netflow record. | 5 |
| QFlow Record | 14029 | Indicates a QFlow record. | 5 |
| SFlow Record | 14030 | Indicates an SFlow record. | 5 |
| Packeteer Record | 14031 | Indicates a Packeteer record. | 5 |
| Misc Flow | 14032 | Indicates a misc flow. | 5 |
| Large Data Transfer | 14033 | Indicates a large transfer of data. | 5 |
| Large Data Transfer Outbound | 14034 | Indicates a large transfer of outbound data. | 5 |
| VoIP Flows | 14035 | Indicates VoIP Flows. | 5 |
User Defined
The User Defined category contains events that are related to user-defined objects
The following table describes the low-level event categories and associated severity levels for the User Defined category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Custom Sentry Low | 15001 | Indicates a low severity custom anomaly event. | 3 |
| Custom Sentry Medium | 15002 | Indicates a medium severity custom anomaly event. | 5 |
| Custom Sentry High | 15003 | Indicates a high severity custom anomaly event. | 7 |
| Custom Sentry 1 | 15004 | Indicates a custom anomaly event with a severity level of 1. | 1 |
| Custom Sentry 2 | 15005 | Indicates a custom anomaly event with a severity level of 2. | 2 |
| Custom Sentry 3 | 15006 | Indicates a custom anomaly event with a severity level of 3. | 3 |
| Custom Sentry 4 | 15007 | Indicates a custom anomaly event with a severity level of 4. | 4 |
| Custom Sentry 5 | 15008 | Indicates a custom anomaly event with a severity level of 5. | 5 |
| Custom Sentry 6 | 15009 | Indicates a custom anomaly event with a severity level of 6. | 6 |
| Custom Sentry 7 | 15010 | Indicates a custom anomaly event with a severity level of 7. | 7 |
| Custom Sentry 8 | 15011 | Indicates a custom anomaly event with a severity level of 8. | 8 |
| Custom Sentry 9 | 15012 | Indicates a custom anomaly event with a severity level of 9. | 9 |
| Custom Policy Low | 15013 | Indicates a custom policy event with a low severity level. | 3 |
| Custom Policy Medium | 15014 | Indicates a custom policy event with a medium severity level. | 5 |
| Custom Policy High | 15015 | Indicates a custom policy event with a high severity level. | 7 |
| Custom Policy 1 | 15016 | Indicates a custom policy event with a severity level of 1. | 1 |
| Custom Policy 2 | 15017 | Indicates a custom policy event with a severity level of 2. | 2 |
| Custom Policy 3 | 15018 | Indicates a custom policy event with a severity level of 3. | 3 |
| Custom Policy 4 | 15019 | Indicates a custom policy event with a severity level of 4. | 4 |
| Custom Policy 5 | 15020 | Indicates a custom policy event with a severity level of 5. | 5 |
| Custom Policy 6 | 15021 | Indicates a custom policy event with a severity level of 6. | 6 |
| Custom Policy 7 | 15022 | Indicates a custom policy event with a severity level of 7. | 7 |
| Custom Policy 8 | 15023 | Indicates a custom policy event with a severity level of 8. | 8 |
| Custom Policy 9 | 15024 | Indicates a custom policy event with a severity level of 9. | 9 |
| Custom User Low | 15025 | Indicates a custom user event with a low severity level. | 3 |
| Custom User Medium | 15026 | Indicates a custom user event with a medium severity level. | 5 |
| Custom User High | 15027 | Indicates a custom user event with a high severity level. | 7 |
| Custom User 1 | 15028 | Indicates a custom user event with a severity level of 1. | 1 |
| Custom User 2 | 15029 | Indicates a custom user event with a severity level of 2. | 2 |
| Custom User 3 | 15030 | Indicates a custom user event with a severity level of 3. | 3 |
| Custom User 4 | 15031 | Indicates a custom user event with a severity level of 4. | 4 |
| Custom User 5 | 15032 | Indicates a custom user event with a severity level of 5. | 5 |
| Custom User 6 | 15033 | Indicates a custom user event with a severity level of 6. | 6 |
| Custom User 7 | 15034 | Indicates a custom user event with a severity level of 7. | 7 |
| Custom User 8 | 15035 | Indicates a custom user event with a severity level of 8. | 8 |
| Custom User 9 | 15036 | Indicates a custom user event with a severity level of 9. | 9 |
SIM Audit
The SIM Audit category contains events that are related to user interaction with the Console and administrative features.
The following table describes the low-level event categories and associated severity levels for the SIM Audit category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| SIM User Authentication | 16001 | Indicates a user login or logout on the Console. | 5 |
| SIM Configuration Change | 16002 | Indicates that a user changed the SIM configuration or deployment. | 3 |
| SIM User Action | 16003 | Indicates that a user initiated a process, such as starting a backup or generating a report, in the SIM module. | 3 |
| Session Created | 16004 | Indicates that a user session was created. | 3 |
| Session Destroyed | 16005 | Indicates that a user session was destroyed. | 3 |
| Admin Session Created | 16006 | Indicates that an admin session was created. | |
| Admin Session Destroyed | 16007 | Indicates that an admin session was destroyed. | 3 |
| Session Authentication Invalid | 16008 | Indicates an invalid session authentication. | 5 |
| Session Authentication Expired | 16009 | Indicates that a session authentication expired. | 3 |
| Risk Manager Configuration | 16010 | Indicates that a user changed the IBM QRadar Risk Manager configuration. | 3 |
VIS Host Discovery
When the VIS component discovers and stores new hosts, ports, or vulnerabilities that are detected on the network, the VIS component generates events. These events are sent to the Event Collector to be correlated with other security events.
The following table describes the low-level event categories and associated severity levels for the VIS host discovery category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| New Host Discovered | 17001 | Indicates that the VIS component detected a new host. | 3 |
| New Port Discovered | 17002 | Indicates that the VIS component detected a new open port. | 3 |
| New Vuln Discovered | 17003 | Indicates that the VIS component detected a new vulnerability. | 3 |
| New OS Discovered | 17004 | Indicates that the VIS component detected a new operating system on a host. | 3 |
| Bulk Host Discovered | 17005 | Indicates that the VIS component detected many new hosts in a short period. | 3 |
Application
The application category contains events that are related to application activity, such as email or FTP activity.
The following table describes the low-level event categories and associated severity levels for the application category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Mail Opened | 18001 | Indicates that an email connection was established. | 1 |
| Mail Closed | 18002 | Indicates that an email connection was closed. | 1 |
| Mail Reset | 18003 | Indicates that an email connection was reset. | 3 |
| Mail Terminated | 18004 | Indicates that an email connection was terminated. | 4 |
| Mail Denied | 18005 | Indicates that an email connection was denied. | 4 |
| Mail in Progress | 18006 | Indicates that an email connection is being attempted. | 1 |
| Mail Delayed | 18007 | Indicates that an email connection was delayed. | 4 |
| Mail Queued | 18008 | Indicates that an email connection was queued. | 3 |
| Mail Redirected | 18009 | Indicates that an email connection was redirected. | 1 |
| FTP Opened | 18010 | Indicates that an FTP connection was opened. | 1 |
| FTP Closed | 18011 | Indicates that an FTP connection was closed. | 1 |
| FTP Reset | 18012 | Indicates that an FTP connection was reset. | 3 |
| FTP Terminated | 18013 | Indicates that an FTP connection was terminated. | 4 |
| FTP Denied | 18014 | Indicates that an FTP connection was denied. | 4 |
| FTP In Progress | 18015 | Indicates that an FTP connection is in progress. | 1 |
| FTP Redirected | 18016 | Indicates that an FTP connection was redirected. | 3 |
| HTTP Opened | 18017 | Indicates that an HTTP connection was established. | 1 |
| HTTP Closed | 18018 | Indicates that an HTTP connection was closed. | 1 |
| HTTP Reset | 18019 | Indicates that an HTTP connection was reset. | 3 |
| HTTP Terminated | 18020 | Indicates that an HTTP connection was terminated. | 4 |
| HTTP Denied | 18021 | Indicates that an HTTP connection was denied. | 4 |
| HTTP In Progress | 18022 | Indicates that an HTTP connection is in progress. | 1 |
| HTTP Delayed | 18023 | Indicates that an HTTP connection was delayed. | 3 |
| HTTP Queued | 18024 | Indicates that an HTTP connection was queued. | 1 |
| HTTP Redirected | 18025 | Indicates that an HTTP connection was redirected. | 1 |
| HTTP Proxy | 18026 | Indicates that an HTTP connection is being proxied. | 1 |
| HTTPS Opened | 18027 | Indicates that an HTTPS connection was established. | 1 |
| HTTPS Closed | 18028 | Indicates that an HTTPS connection was closed. | 1 |
| HTTPS Reset | 18029 | Indicates that an HTTPS connection was reset. | 3 |
| HTTPS Terminated | 18030 | Indicates that an HTTPS connection was terminated. | 4 |
| HTTPS Denied | 18031 | Indicates that an HTTPS connection was denied. | 4 |
| HTTPS In Progress | 18032 | Indicates that an HTTPS connection is in progress. | 1 |
| HTTPS Delayed | 18033 | Indicates that an HTTPS connection was delayed. | 3 |
| HTTPS Queued | 18034 | Indicates that an HTTPS connection was queued. | 3 |
| HTTPS Redirected | 18035 | Indicates that an HTTPS connection was redirected. | 3 |
| HTTPS Proxy | 18036 | Indicates that an HTTPS connection is proxied. | 1 |
| SSH Opened | 18037 | Indicates that an SSH connection was established. | 1 |
| SSH Closed | 18038 | Indicates that an SSH connection was closed. | 1 |
| SSH Reset | 18039 | Indicates that an SSH connection was reset. | 3 |
| SSH Terminated | 18040 | Indicates that an SSH connection was terminated. | 4 |
| SSH Denied | 18041 | Indicates that an SSH session was denied. | 4 |
| SSH In Progress | 18042 | Indicates that an SSH session is in progress. | 1 |
| RemoteAccess Opened | 18043 | Indicates that a remote access connection was established. | 1 |
| RemoteAccess Closed | 18044 | Indicates that a remote access connection was closed. | 1 |
| RemoteAccess Reset | 18045 | Indicates that a remote access connection was reset. | 3 |
| RemoteAccess Terminated | 18046 | Indicates that a remote access connection was terminated. | 4 |
| RemoteAccess Denied | 18047 | Indicates that a remote access connection was denied. | 4 |
| RemoteAccess In Progress | 18048 | Indicates that a remote access connection is in progress. | 1 |
| RemoteAccess Delayed | 18049 | Indicates that a remote access connection was delayed. | 3 |
| RemoteAccess Redirected | 18050 | Indicates that a remote access connection was redirected. | 3 |
| VPN Opened | 18051 | Indicates that a VPN connection was opened. | 1 |
| VPN Closed | 18052 | Indicates that a VPN connection was closed. | 1 |
| VPN Reset | 18053 | Indicates that a VPN connection was reset. | 3 |
| VPN Terminated | 18054 | Indicates that a VPN connection was terminated. | 4 |
| VPN Denied | 18055 | Indicates that a VPN connection was denied. | 4 |
| VPN In Progress | 18056 | Indicates that a VPN connection is in progress. | 1 |
| VPN Delayed | 18057 | Indicates that a VPN connection was delayed | 3 |
| VPN Queued | 18058 | Indicates that a VPN connection was queued. | 3 |
| VPN Redirected | 18059 | Indicates that a VPN connection was redirected. | 3 |
| RDP Opened | 18060 | Indicates that an RDP connection was established. | 1 |
| RDP Closed | 18061 | Indicates that an RDP connection was closed. | 1 |
| RDP Reset | 18062 | Indicates that an RDP connection was reset. | 3 |
| RDP Terminated | 18063 | Indicates that an RDP connection was terminated. | 4 |
| RDP Denied | 18064 | Indicates that an RDP connection was denied. | 4 |
| RDP In Progress | 18065 | Indicates that an RDP connection is in progress. | 1 |
| RDP Redirected | 18066 | Indicates that an RDP connection was redirected. | 3 |
| FileTransfer Opened | 18067 | Indicates that a file transfer connection was established. | 1 |
| FileTransfer Closed | 18068 | Indicates that a file transfer connection was closed. | 1 |
| FileTransfer Reset | 18069 | Indicates that a file transfer connection was reset. | 3 |
| FileTransfer Terminated | 18070 | Indicates that a file transfer connection was terminated. | 4 |
| FileTransfer Denied | 18071 | Indicates that a file transfer connection was denied. | 4 |
| FileTransfer In Progress | 18072 | Indicates that a file transfer connection is in progress. | 1 |
| FileTransfer Delayed | 18073 | Indicates that a file transfer connection was delayed. | 3 |
| FileTransfer Queued | 18074 | Indicates that a file transfer connection was queued. | 3 |
| FileTransfer Redirected | 18075 | Indicates that a file transfer connection was redirected. | 3 |
| DNS Opened | 18076 | Indicates that a DNS connection was established. | 1 |
| DNS Closed | 18077 | Indicates that a DNS connection was closed. | 1 |
| DNS Reset | 18078 | Indicates that a DNS connection was reset. | 5 |
| DNS Terminated | 18079 | Indicates that a DNS connection was terminated. | 5 |
| DNS Denied | 18080 | Indicates that a DNS connection was denied. | 5 |
| DNS In Progress | 18081 | Indicates that a DNS connection is in progress. | 1 |
| DNS Delayed | 18082 | Indicates that a DNS connection was delayed. | 5 |
| DNS Redirected | 18083 | Indicates that a DNS connection was redirected. | 4 |
| Chat Opened | 18084 | Indicates that a chat connection was opened. | 1 |
| Chat Closed | 18085 | Indicates that a chat connection was closed. | 1 |
| Chat Reset | 18086 | Indicates that a chat connection was reset. | 3 |
| Chat Terminated | 18087 | Indicates that a chat connection was terminated. | 3 |
| Chat Denied | 18088 | Indicates that a chat connection was denied. | 3 |
| Chat In Progress | 18089 | Indicates that a chat connection is in progress. | 1 |
| Chat Redirected | 18090 | Indicates that a chat connection was redirected. | 1 |
| Database Opened | 18091 | Indicates that a database connection was established. | 1 |
| Database Closed | 18092 | Indicates that a database connection was closed. | 1 |
| Database Reset | 18093 | Indicates that a database connection was reset. | 5 |
| Database Terminated | 18094 | Indicates that a database connection was terminated. | 5 |
| Database Denied | 18095 | Indicates that a database connection was denied. | 5 |
| Database In Progress | 18096 | Indicates that a database connection is in progress. | 1 |
| Database Redirected | 18097 | Indicates that a database connection was redirected. | 3 |
| SMTP Opened | 18098 | Indicates that an SMTP connection was established. | 1 |
| SMTP Closed | 18099 | Indicates that an SMTP connection was closed. | 1 |
| SMTP Reset | 18100 | Indicates that an SMTP connection was reset. | 3 |
| SMTP Terminated | 18101 | Indicates that an SMTP connection was terminated. | 5 |
| SMTP Denied | 18102 | Indicates that an SMTP connection was denied. | 5 |
| SMTP In Progress | 18103 | Indicates that an SMTP connection is in progress. | 1 |
| SMTP Delayed | 18104 | Indicates that an SMTP connection was delayed. | 3 |
| SMTP Queued | 18105 | Indicates that an SMTP connection was queued. | 3 |
| SMTP Redirected | 18106 | Indicates that an SMTP connection was redirected. | 3 |
| Auth Opened | 18107 | Indicates that an authorization server connection was established. | 1 |
| Auth Closed | 18108 | Indicates that an authorization server connection was closed. | 1 |
| Auth Reset | 18109 | Indicates that an authorization server connection was reset. | 3 |
| Auth Terminated | 18110 | Indicates that an authorization server connection was terminated. | 4 |
| Auth Denied | 18111 | Indicates that an authorization server connection was denied. | 4 |
| Auth In Progress | 18112 | Indicates that an authorization server connection is in progress. | 1 |
| Auth Delayed | 18113 | Indicates that an authorization server connection was delayed. | 3 |
| Auth Queued | 18114 | Indicates that an authorization server connection was queued. | 3 |
| Auth Redirected | 18115 | Indicates that an authorization server connection was redirected. | 2 |
| P2P Opened | 18116 | Indicates that a Peer-to-Peer (P2P) connection was established. | 1 |
| P2P Closed | 18117 | Indicates that a P2P connection was closed. | 1 |
| P2P Reset | 18118 | Indicates that a P2P connection was reset. | 4 |
| P2P Terminated | 18119 | Indicates that a P2P connection was terminated. | 4 |
| P2P Denied | 18120 | Indicates that a P2P connection was denied. | 3 |
| P2P In Progress | 18121 | Indicates that a P2P connection is in progress. | 1 |
| Web Opened | 18122 | Indicates that a web connection was established. | 1 |
| Web Closed | 18123 | Indicates that a web connection was closed. | 1 |
| Web Reset | 18124 | Indicates that a web connection was reset. | 4 |
| Web Terminated | 18125 | Indicates that a web connection was terminated. | 4 |
| Web Denied | 18126 | Indicates that a web connection was denied. | 4 |
| Web In Progress | 18127 | Indicates that a web connection is in progress. | 1 |
| Web Delayed | 18128 | Indicates that a web connection was delayed. | 3 |
| Web Queued | 18129 | Indicates that a web connection was queued. | 1 |
| Web Redirected | 18130 | Indicates that a web connection was redirected. | 1 |
| Web Proxy | 18131 | Indicates that a web connection was proxied. | 1 |
| VoIP Opened | 18132 | Indicates that a Voice Over IP (VoIP) connection was established. | 1 |
| VoIP Closed | 18133 | Indicates that a VoIP connection was closed. | 1 |
| VoIP Reset | 18134 | Indicates that a VoIP connection was reset. | 3 |
| VoIP Terminated | 18135 | Indicates that a VoIP connection was terminated. | 3 |
| VoIP Denied | 18136 | Indicates that a VoIP connection was denied. | 3 |
| VoIP In Progress | 18137 | Indicates that a VoIP connection is in progress. | 1 |
| VoIP Delayed | 18138 | Indicates that a VoIP connection was delayed. | 3 |
| VoIP Redirected | 18139 | Indicates that a VoIP connection was redirected. | 3 |
| LDAP Session Started | 18140 | Indicates an LDAP session started. | 1 |
| LDAP Session Ended | 18141 | Indicates an LDAP session ended. | 1 |
| LDAP Session Denied | 18142 | Indicates that an LDAP session was denied. | 3 |
| LDAP Session Status | 18143 | Indicates that an LDAP session status message was reported. | 1 |
| LDAP Authentication Failed | 18144 | Indicates that an LDAP authentication failed. | 4 |
| LDAP Authentication Succeeded | 18145 | Indicates that an LDAP authentication was successful. | 1 |
| AAA Session Started | 18146 | Indicates that an Authentication, Authorization, and Accounting (AAA) session started. | 1 |
| AAA Session Ended | 18147 | Indicates that an AAA session ended. | 1 |
| AAA Session Denied | 18148 | Indicates that an AAA session was denied. | 3 |
| AAA Session Status | 18149 | Indicates that an AAA session status message was reported. | 1 |
| AAA Authentication Failed | 18150 | Indicates that an AAA authentication failed. | 4 |
| AAA Authentication Succeeded | 18151 | Indicates that an AAA authentication was successful. | 1 |
| IPSEC Authentication Failed | 18152 | Indicates that an Internet Protocol Security (IPSEC) authentication failed. | 4 |
| IPSEC Authentication Succeeded | 18153 | Indicates that an IPSEC authentication was successful. | 1 |
| IPSEC Session Started | 18154 | Indicates that an IPSEC session started. | 1 |
| IPSEC Session Ended | 18155 | Indicates that an IPSEC session ended. | 1 |
| IPSEC Error | 18156 | Indicates that an IPSEC error message was reported. | 5 |
| IPSEC Status | 18157 | Indicates that an IPSEC session status message was reported. | 1 |
| IM Session Opened | 18158 | Indicates that an Instant Messenger (IM) session was established. | 1 |
| IM Session Closed | 18159 | Indicates that an IM session was closed. | 1 |
| IM Session Reset | 18160 | Indicates that an IM session was reset. | 3 |
| IM Session Terminated | 18161 | Indicates that an IM session was terminated. | 3 |
| IM Session Denied | 18162 | Indicates that an IM session was denied. | 3 |
| IM Session In Progress | 18163 | Indicates that an IM session is in progress. | 1 |
| IM Session Delayed | 18164 | Indicates that an IM session was delayed | 3 |
| IM Session Redirected | 18165 | Indicates that an IM session was redirected. | 3 |
| WHOIS Session Opened | 18166 | Indicates that a WHOIS session was established. | 1 |
| WHOIS Session Closed | 18167 | Indicates that a WHOIS session was closed. | 1 |
| WHOIS Session Reset | 18168 | Indicates that a WHOIS session was reset. | 3 |
| WHOIS Session Terminated | 18169 | Indicates that a WHOIS session was terminated. | 3 |
| WHOIS Session Denied | 18170 | Indicates that a WHOIS session was denied. | 3 |
| WHOIS Session In Progress | 18171 | Indicates that a WHOIS session is in progress. | 1 |
| WHOIS Session Redirected | 18172 | Indicates that a WHOIS session was redirected. | 3 |
| Traceroute Session Opened | 18173 | Indicates that a Traceroute session was established. | 1 |
| Traceroute Session Closed | 18174 | Indicates that a Traceroute session was closed. | 1 |
| Traceroute Session Denied | 18175 | Indicates that a Traceroute session was denied. | 3 |
| Traceroute Session In Progress | 18176 | Indicates that a Traceroute session is in progress. | 1 |
| TN3270 Session Opened | 18177 | TN3270 is a terminal emulation program, which is used to connect to an IBM 3270 terminal. This category indicates that a TN3270 session was established. | 1 |
| TN3270 Session Closed | 18178 | Indicates that a TN3270 session was closed. | 1 |
| TN3270 Session Reset | 18179 | Indicates that a TN3270 session was reset. | 3 |
| TN3270 Session Terminated | 18180 | Indicates that a TN3270 session was terminated. | 3 |
| TN3270 Session Denied | 18181 | Indicates that a TN3270 session was denied. | 3 |
| TN3270 Session In Progress | 18182 | Indicates that a TN3270 session is in progress. | 1 |
| TFTP Session Opened | 18183 | Indicates that a TFTP session was established. | 1 |
| TFTP Session Closed | 18184 | Indicates that a TFTP session was closed. | 1 |
| TFTP Session Reset | 18185 | Indicates that a TFTP session was reset. | 3 |
| TFTP Session Terminated | 18186 | Indicates that a TFTP session was terminated. | 3 |
| TFTP Session Denied | 18187 | Indicates that a TFTP session was denied. | 3 |
| TFTP Session In Progress | 18188 | Indicates that a TFTP session is in progress. | 1 |
| Telnet Session Opened | 18189 | Indicates that a Telnet session was established. | 1 |
| Telnet Session Closed | 18190 | Indicates that a Telnet session was closed. | 1 |
| Telnet Session Reset | 18191 | Indicates that a Telnet session was reset. | 3 |
| Telnet Session Terminated | 18192 | Indicates that a Telnet session was terminated. | 3 |
| Telnet Session Denied | 18193 | Indicates that a Telnet session was denied. | 3 |
| Telnet Session In Progress | 18194 | Indicates that a Telnet session is in progress. | 1 |
| Syslog Session Opened | 18201 | Indicates that a syslog session was established. | 1 |
| Syslog Session Closed | 18202 | Indicates that a syslog session was closed. | 1 |
| Syslog Session Denied | 18203 | Indicates that a syslog session was denied. | 3 |
| Syslog Session In Progress | 18204 | Indicates that a syslog session is in progress. | 1 |
| SSL Session Opened | 18205 | Indicates that a Secure Socket Layer (SSL) session was established. | 1 |
| SSL Session Closed | 18206 | Indicates that an SSL session was closed. | 1 |
| SSL Session Reset | 18207 | Indicates that an SSL session was reset. | 3 |
| SSL Session Terminated | 18208 | Indicates that an SSL session was terminated. | 3 |
| SSL Session Denied | 18209 | Indicates that an SSL session was denied. | 3 |
| SSL Session In Progress | 18210 | Indicates that an SSL session is in progress. | 1 |
| SNMP Session Opened | 18211 | Indicates that a Simple Network Management Protocol (SNMP) session was established. | 1 |
| SNMP Session Closed | 18212 | Indicates that an SNMP session was closed. | 1 |
| SNMP Session Denied | 18213 | Indicates that an SNMP session was denied. | 3 |
| SNMP Session In Progress | 18214 | Indicates that an SNMP session is in progress. | 1 |
| SMB Session Opened | 18215 | Indicates that a Server Message Block (SMB) session was established. | 1 |
| SMB Session Closed | 18216 | Indicates that an SMB session was closed. | 1 |
| SMB Session Reset | 18217 | Indicates that an SMB session was reset. | 3 |
| SMB Session Terminated | 18218 | Indicates that an SMB session was terminated. | 3 |
| SMB Session Denied | 18219 | Indicates that an SMB session was denied. | 3 |
| SMB Session In Progress | 18220 | Indicates that an SMB session is in progress. | 1 |
| Streaming Media Session Opened | 18221 | Indicates that a Streaming Media session was established. | 1 |
| Streaming Media Session Closed | 18222 | Indicates that a Streaming Media session was closed. | 1 |
| Streaming Media Session Reset | 18223 | Indicates that a Streaming Media session was reset. | 3 |
| Streaming Media Session Terminated | 18224 | Indicates that a Streaming Media session was terminated. | 3 |
| Streaming Media Session Denied | 18225 | Indicates that a Streaming Media session was denied. | 3 |
| Streaming Media Session In Progress | 18226 | Indicates that a Streaming Media session is in progress. | 1 |
| RUSERS Session Opened | 18227 | Indicates that a (Remote Users) RUSERS session was established. | 1 |
| RUSERS Session Closed | 18228 | Indicates that a RUSERS session was closed. | 1 |
| RUSERS Session Denied | 18229 | Indicates that a RUSERS session was denied. | 3 |
| RUSERS Session In Progress | 18230 | Indicates that a RUSERS session is in progress. | 1 |
| Rsh Session Opened | 18231 | Indicates that a remote shell (rsh) session was established. | 1 |
| Rsh Session Closed | 18232 | Indicates that an rsh session was closed. | 1 |
| Rsh Session Reset | 18233 | Indicates that an rsh session was reset. | 3 |
| Rsh Session Terminated | 18234 | Indicates that an rsh session was terminated. | 3 |
| Rsh Session Denied | 18235 | Indicates that an rsh session was denied. | 3 |
| Rsh Session In Progress | 18236 | Indicates that an rsh session is in progress. | 1 |
| RLOGIN Session Opened | 18237 | Indicates that a Remote Login (RLOGIN) session was established. | 1 |
| RLOGIN Session Closed | 18238 | Indicates that an RLOGIN session was closed. | 1 |
| RLOGIN Session Reset | 18239 | Indicates that an RLOGIN session was reset. | 3 |
| RLOGIN Session Terminated | 18240 | Indicates that an RLOGIN session was terminated. | 3 |
| RLOGIN Session Denied | 18241 | Indicates that an RLOGIN session was denied. | 3 |
| RLOGIN Session In Progress | 18242 | Indicates that an RLOGIN session is in progress. | 1 |
| REXEC Session Opened | 18243 | Indicates that a (Remote Execution) REXEC session was established. | 1 |
| REXEC Session Closed | 18244 | Indicates that an REXEC session was closed. | 1 |
| REXEC Session Reset | 18245 | Indicates that an REXEC session was reset. | 3 |
| REXEC Session Terminated | 18246 | Indicates that an REXEC session was terminated. | 3 |
| REXEC Session Denied | 18247 | Indicates that an REXEC session was denied. | 3 |
| REXEC Session In Progress | 18248 | Indicates that an REXEC session is in progress. | 1 |
| RPC Session Opened | 18249 | Indicates that a Remote Procedure Call (RPC) session was established. | 1 |
| RPC Session Closed | 18250 | Indicates that an RPC session was closed. | 1 |
| RPC Session Reset | 18251 | Indicates that an RPC session was reset. | 3 |
| RPC Session Terminated | 18252 | Indicates that an RPC session was terminated. | 3 |
| RPC Session Denied | 18253 | Indicates that an RPC session was denied. | 3 |
| RPC Session In Progress | 18254 | Indicates that an RPC session is in progress. | 1 |
| NTP Session Opened | 18255 | Indicates that a Network Time Protocol (NTP) session was established. | 1 |
| NTP Session Closed | 18256 | Indicates that an NTP session was closed. | 1 |
| NTP Session Reset | 18257 | Indicates that an NTP session was reset. | 3 |
| NTP Session Terminated | 18258 | Indicates that an NTP session was terminated. | 3 |
| NTP Session Denied | 18259 | Indicates that an NTP session was denied. | 3 |
| NTP Session In Progress | 18260 | Indicates that an NTP session is in progress. | 1 |
| NNTP Session Opened | 18261 | Indicates that a Network News Transfer Protocol (NNTP) session was established. | 1 |
| NNTP Session Closed | 18262 | Indicates that an NNTP session was closed. | 1 |
| NNTP Session Reset | 18263 | Indicates that an NNTP session was reset. | 3 |
| NNTP Session Terminated | 18264 | Indicates that an NNTP session was terminated. | 3 |
| NNTP Session Denied | 18265 | Indicates that an NNTP session was denied. | 3 |
| NNTP Session In Progress | 18266 | Indicates that an NNTP session is in progress. | 1 |
| NFS Session Opened | 18267 | Indicates that a Network File System (NFS) session was established. | 1 |
| NFS Session Closed | 18268 | Indicates that an NFS session was closed. | 1 |
| NFS Session Reset | 18269 | Indicates that an NFS session was reset. | 3 |
| NFS Session Terminated | 18270 | Indicates that an NFS session was terminated. | 3 |
| NFS Session Denied | 18271 | Indicates that an NFS session was denied. | 3 |
| NFS Session In Progress | 18272 | Indicates that an NFS session is in progress. | 1 |
| NCP Session Opened | 18273 | Indicates that a Network Control Program (NCP) session was established. | 1 |
| NCP Session Closed | 18274 | Indicates that an NCP session was closed. | 1 |
| NCP Session Reset | 18275 | Indicates that an NCP session was reset. | 3 |
| NCP Session Terminated | 18276 | Indicates that an NCP session was terminated. | 3 |
| NCP Session Denied | 18277 | Indicates that an NCP session was denied. | 3 |
| NCP Session In Progress | 18278 | Indicates that an NCP session is in progress. | 1 |
| NetBIOS Session Opened | 18279 | Indicates that a NetBIOS session was established. | 1 |
| NetBIOS Session Closed | 18280 | Indicates that a NetBIOS session was closed. | 1 |
| NetBIOS Session Reset | 18281 | Indicates that a NetBIOS session was reset. | 3 |
| NetBIOS Session Terminated | 18282 | Indicates that a NetBIOS session was terminated. | 3 |
| NetBIOS Session Denied | 18283 | Indicates that a NetBIOS session was denied. | 3 |
| NetBIOS Session In Progress | 18284 | Indicates that a NetBIOS session is in progress. | 1 |
| MODBUS Session Opened | 18285 | Indicates that a MODBUS session was established. | 1 |
| MODBUS Session Closed | 18286 | Indicates that a MODBUS session was closed. | 1 |
| MODBUS Session Reset | 18287 | Indicates that a MODBUS session was reset. | 3 |
| MODBUS Session Terminated | 18288 | Indicates that a MODBUS session was terminated. | 3 |
| MODBUS Session Denied | 18289 | Indicates that a MODBUS session was denied. | 3 |
| MODBUS Session In Progress | 18290 | Indicates that a MODBUS session is in progress. | 1 |
| LPD Session Opened | 18291 | Indicates that a Line Printer Daemon (LPD) session was established. | 1 |
| LPD Session Closed | 18292 | Indicates that an LPD session was closed. | 1 |
| LPD Session Reset | 18293 | Indicates that an LPD session was reset. | 3 |
| LPD Session Terminated | 18294 | Indicates that an LPD session was terminated. | 3 |
| LPD Session Denied | 18295 | Indicates that an LPD session was denied. | 3 |
| LPD Session In Progress | 18296 | Indicates that an LPD session is in progress. | 1 |
| Lotus Notes® Session Opened | 18297 | Indicates that a Lotus Notes session was established. | 1 |
| Lotus Notes Session Closed | 18298 | Indicates that a Lotus Notes session was closed. | 1 |
| Lotus Notes Session Reset | 18299 | Indicates that a Lotus Notes session was reset. | 3 |
| Lotus Notes Session Terminated | 18300 | Indicates that a Lotus Notes session was terminated. | 3 |
| Lotus Notes Session Denied | 18301 | Indicates that a Lotus Notes session was denied. | 3 |
| Lotus Notes Session In Progress | 18302 | Indicates that a Lotus Notes session is in progress. | 1 |
| Kerberos Session Opened | 18303 | Indicates that a Kerberos session was established. | 1 |
| Kerberos Session Closed | 18304 | Indicates that a Kerberos session was closed. | 1 |
| Kerberos Session Reset | 18305 | Indicates that a Kerberos session was reset. | 3 |
| Kerberos Session Terminated | 18306 | Indicates that a Kerberos session was terminated. | 3 |
| Kerberos Session Denied | 18307 | Indicates that a Kerberos session was denied. | 3 |
| Kerberos Session In Progress | 18308 | Indicates that a Kerberos session is in progress. | 1 |
| IRC Session Opened | 18309 | Indicates that an Internet Relay Chat (IRC) session was established. | 1 |
| IRC Session Closed | 18310 | Indicates that an IRC session was closed. | 1 |
| IRC Session Reset | 18311 | Indicates that an IRC session was reset. | 3 |
| IRC Session Terminated | 18312 | Indicates that an IRC session was terminated. | 3 |
| IRC Session Denied | 18313 | Indicates that an IRC session was denied. | 3 |
| IRC Session In Progress | 18314 | Indicates that an IRC session is in progress. | 1 |
| IEC 104 Session Opened | 18315 | Indicates that an IEC 104 session was established. | 1 |
| IEC 104 Session Closed | 18316 | Indicates that an IEC 104 session was closed. | 1 |
| IEC 104 Session Reset | 18317 | Indicates that an IEC 104 session was reset. | 3 |
| IEC 104 Session Terminated | 18318 | Indicates that an IEC 104 session was terminated. | 3 |
| IEC 104 Session Denied | 18319 | Indicates that an IEC 104 session was denied. | 3 |
| IEC 104 Session In Progress | 18320 | Indicates that an IEC 104 session is in progress. | 1 |
| Ident Session Opened | 18321 | Indicates that a TCP Client Identity Protocol (Ident) session was established. | 1 |
| Ident Session Closed | 18322 | Indicates that an Ident session was closed. | 1 |
| Ident Session Reset | 18323 | Indicates that an Ident session was reset. | 3 |
| Ident Session Terminated | 18324 | Indicates that an Ident session was terminated. | 3 |
| Ident Session Denied | 18325 | Indicates that an Ident session was denied. | 3 |
| Ident Session In Progress | 18326 | Indicates that an Ident session is in progress. | 1 |
| ICCP Session Opened | 18327 | Indicates that an Inter-Control Center Communications Protocol (ICCP) session was established. | 1 |
| ICCP Session Closed | 18328 | Indicates that an ICCP session was closed. | 1 |
| ICCP Session Reset | 18329 | Indicates that an ICCP session was reset. | 3 |
| ICCP Session Terminated | 18330 | Indicates that an ICCP session was terminated. | 3 |
| ICCP Session Denied | 18331 | Indicates that an ICCP session was denied. | 3 |
| ICCP Session In Progress | 18332 | Indicates that an ICCP session is in progress. | 1 |
| GroupWiseSession Opened | 18333 | Indicates that a GroupWisesession was established. | 1 |
| GroupWiseSession Closed | 18334 | Indicates that a GroupWise session was closed. | 1 |
| GroupWiseSession Reset | 18335 | Indicates that a GroupWisesession was reset. | 3 |
| GroupWiseSession Terminated | 18336 | Indicates that a GroupWisesession was terminated. | 3 |
| GroupWiseSession Denied | 18337 | Indicates that a GroupWise session was denied. | 3 |
| GroupWiseSession In Progress | 18338 | Indicates that a GroupWise session is in progress. | 1 |
| Gopher Session Opened | 183398 | Indicates that a Gopher session was established. | 1 |
| Gopher Session Closed | 18340 | Indicates that a Gopher session was closed. | 1 |
| Gopher Session Reset | 18341 | Indicates that a Gopher session was reset. | 3 |
| Gopher Session Terminated | 18342 | Indicates that a Gopher session was terminated. | 3 |
| Gopher Session Denied | 18343 | Indicates that a Gopher session was denied. | 3 |
| Gopher Session In Progress | 18344 | Indicates that a Gopher session is in progress. | 1 |
| GIOP Session Opened | 18345 | Indicates that a General Inter-ORB Protocol (GIOP) session was established. | 1 |
| GIOP Session Closed | 18346 | Indicates that a GIOP session was closed. | 1 |
| GIOP Session Reset | 18347 | Indicates that a GIOP session was reset. | 3 |
| GIOP Session Terminated | 18348 | Indicates that a GIOP session was terminated. | 3 |
| GIOP Session Denied | 18349 | Indicates that a GIOP session was denied. | 3 |
| GIOP Session In Progress | 18350 | Indicates that a GIOP session is in progress. | 1 |
| Finger Session Opened | 18351 | Indicates that a Finger session was established. | 1 |
| Finger Session Closed | 18352 | Indicates that a Finger session was closed. | 1 |
| Finger Session Reset | 18353 | Indicates that a Finger session was reset. | 3 |
| Finger Session Terminated | 18354 | Indicates that a Finger session was terminated. | 3 |
| Finger Session Denied | 18355 | Indicates that a Finger session was denied. | 3 |
| Finger Session In Progress | 18356 | Indicates that a Finger session is in progress. | 1 |
| Echo Session Opened | 18357 | Indicates that an Echo session was established. | 1 |
| Echo Session Closed | 18358 | Indicates that an Echo session was closed. | 1 |
| Echo Session Denied | 18359 | Indicates that an Echo session was denied. | 3 |
| Echo Session In Progress | 18360 | Indicates that an Echo session is in progress. | 1 |
| Remote .NET Session Opened | 18361 | Indicates that a Remote .NET session was established. | 1 |
| Remote .NET Session Closed | 18362 | Indicates that a Remote .NET session was closed. | 1 |
| Remote .NET Session Reset | 18363 | Indicates that a Remote .NET session was reset. | 3 |
| Remote .NET Session Terminated | 18364 | Indicates that a Remote .NET session was terminated. | 3 |
| Remote .NET Session Denied | 18365 | Indicates that a Remote .NET session was denied. | 3 |
| Remote .NET Session In Progress | 18366 | Indicates that a Remote .NET session is in progress. | 1 |
| DNP3 Session Opened | 18367 | Indicates that a Distributed Network Proctologic (DNP3) session was established. | 1 |
| DNP3 Session Closed | 18368 | Indicates that a DNP3 session was closed. | 1 |
| DNP3 Session Reset | 18369 | Indicates that a DNP3 session was reset. | 3 |
| DNP3 Session Terminated | 18370 | Indicates that a DNP3 session was terminated. | 3 |
| DNP3 Session Denied | 18371 | Indicates that a DNP3 session was denied. | 3 |
| DNP3 Session In Progress | 18372 | Indicates that a DNP3 session is in progress. | 1 |
| Discard Session Opened | 18373 | Indicates that a Discard session was established. | 1 |
| Discard Session Closed | 18374 | Indicates that a Discard session was closed. | 1 |
| Discard Session Reset | 18375 | Indicates that a Discard session was reset. | 3 |
| Discard Session Terminated | 18376 | Indicates that a Discard session was terminated. | 3 |
| Discard Session Denied | 18377 | Indicates that a Discard session was denied. | 3 |
| Discard Session In Progress | 18378 | Indicates that a Discard session is in progress. | 1 |
| DHCP Session Opened | 18379 | Indicates that a Dynamic Host Configuration Protocol (DHCP) session was established. | 1 |
| DHCP Session Closed | 18380 | Indicates that a DHCP session was closed. | 1 |
| DHCP Session Denied | 18381 | Indicates that a DHCP session was denied. | 3 |
| DHCP Session In Progress | 18382 | Indicates that a DHCP session is in progress. | 1 |
| DHCP Success | 18383 | Indicates that a DHCP lease was successfully obtained | 1 |
| DHCP Failure | 18384 | Indicates that a DHCP lease cannot be obtained. | 3 |
| CVS Session Opened | 18385 | Indicates that a Concurrent Versions System (CVS) session was established. | 1 |
| CVS Session Closed | 18386 | Indicates that a CVS session was closed. | 1 |
| CVS Session Reset | 18387 | Indicates that a CVS session was reset. | 3 |
| CVS Session Terminated | 18388 | Indicates that a CVS session was terminated. | 3 |
| CVS Session Denied | 18389 | Indicates that a CVS session was denied. | 3 |
| CVS Session In Progress | 18390 | Indicates that a CVS session is in progress. | 1 |
| CUPS Session Opened | 18391 | Indicates that a Common UNIX Printing System (CUPS) session was established. | 1 |
| CUPS Session Closed | 18392 | Indicates that a CUPS session was closed. | 1 |
| CUPS Session Reset | 18393 | Indicates that a CUPS session was reset. | 3 |
| CUPS Session Terminated | 18394 | Indicates that a CUPS session was terminated. | 3 |
| CUPS Session Denied | 18395 | Indicates that a CUPS session was denied. | 3 |
| CUPS Session In Progress | 18396 | Indicates that a CUPS session is in progress. | 1 |
| Chargen Session Started | 18397 | Indicates that a Character Generator (Chargen) session was started. | 1 |
| Chargen Session Closed | 18398 | Indicates that a Chargen session was closed. | 1 |
| Chargen Session Reset | 18399 | Indicates that a Chargen session was reset. | 3 |
| Chargen Session Terminated | 18400 | Indicates that a Chargen session was terminated. | 3 |
| Chargen Session Denied | 18401 | Indicates that a Chargen session was denied. | 3 |
| Chargen Session In Progress | 18402 | Indicates that a Chargen session is in progress. | 1 |
| Misc VPN | 18403 | Indicates that a miscellaneous VPN session was detected | 1 |
| DAP Session Started | 18404 | Indicates that a DAP session was established. | 1 |
| DAP Session Ended | 18405 | Indicates that a DAP session ended. | 1 |
| DAP Session Denied | 18406 | Indicates that a DAP session was denied. | 3 |
| DAP Session Status | 18407 | Indicates that a DAP session status request was made. | 1 |
| DAP Session in Progress | 18408 | Indicates that a DAP session is in progress. | 1 |
| DAP Authentication Failed | 18409 | Indicates that a DAP authentication failed. | 4 |
| DAP Authentication Succeeded | 18410 | Indicates that DAP authentication succeeded. | 1 |
| TOR Session Started | 18411 | Indicates that a TOR session was established. | 1 |
| TOR Session Closed | 18412 | Indicates that a TOR session was closed. | 1 |
| TOR Session Reset | 18413 | Indicates that a TOR session was reset. | 3 |
| TOR Session Terminated | 18414 | Indicates that a TOR session was terminated. | 3 |
| TOR Session Denied | 18415 | Indicates that a TOR session was denied. | 3 |
| TOR Session In Progress | 18416 | Indicates that a TOR session is in progress. | 1 |
| Game Session Started | 18417 | Indicates that a game session was started. | 1 |
| Game Session Closed | 18418 | Indicates that a game session was closed. | 1 |
| Game Session Reset | 18419 | Indicates that a game session was reset. | 3 |
| Game Session Terminated | 18420 | Indicates that a game session was terminated. | 3 |
| Game Session Denied | 18421 | Indicates that a game session was denied. | 3 |
| Game Session In Progress | 18422 | Indicates that a game session is in progress. | 1 |
| Admin Login Attempt | 18423 | Indicates that an attempt to log in as an administrative user was detected. | 2 |
| User Login Attempt | 18424 | Indicates that an attempt to log in as a non-administrative user was detected. | 2 |
| Client Server | 18425 | Indicates client/server activity. | 1 |
| Content Delivery | 18426 | Indicates content delivery activity. | 1 |
| Data Transfer | 18427 | Indicates a data transfer. | 3 |
| Data Warehousing | 18428 | Indicates data warehousing activity. | 3 |
| Directory Services | 18429 | Indicates directory service activity. | 2 |
| File Print | 18430 | Indicates file print activity. | 1 |
| File Transfer | 18431 | Indicates file transfer. | 2 |
| Games | 18432 | Indicates game activity. | 4 |
| Healthcare | 18433 | Indicates healthcare activity. | 1 |
| Inner System | 18434 | Indicates inner system activity. | 1 |
| Internet Protocol | 18435 | Indicates Internet Protocol activity. | 1 |
| Legacy | 18436 | Indicates legacy activity. | 1 |
| 18437 | Indicates mail activity. | 1 | |
| Misc | 18438 | Indicates miscellaneous activity. | 2 |
| Multimedia | 18439 | Indicates multimedia activity. | 2 |
| Network Management | 18440 | Indicates network management activity. | |
| P2P | 18441 | Indicates Peer-to-Peer (P2P) activity. | 4 |
| Remote Access | 18442 | Indicates Remote Access activity. | 3 |
| Routing Protocols | 18443 | Indicates routing protocol activity. | 1 |
| Security Protocols | 18444 | Indicates security protocol activity. | 2 |
| Streaming | 18445 | Indicates streaming activity. | 2 |
| Uncommon Protocol | 18446 | Indicates uncommon protocol activity. | 3 |
| VoIP | 18447 | Indicates VoIP activity. | 1 |
| Web | 18448 | Indicates web activity. | 1 |
| ICMP | 18449 | Indicates ICMP activity | 1 |
Audit
The audit category contains events that are related to audit activity, such as email or FTP activity.
The following table describes the low-level event categories and associated severity levels for the audit category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| General Audit Event | 19001 | Indicates that a general audit event was started. | 1 |
| Built-in Execution | 19002 | Indicates that a built-in audit task was run. | 1 |
| Bulk Copy | 19003 | Indicates that a bulk copy of data was detected. | 1 |
| Data Dump | 19004 | Indicates that a data dump was detected. | 1 |
| Data Import | 19005 | Indicates that a data import was detected. | 1 |
| Data Selection | 19006 | Indicates that a data selection process was detected. | 1 |
| Data Truncation | 19007 | Indicates that the data truncation process was detected. | 1 |
| Data Update | 19008 | Indicates that the data update process was detected. | 1 |
| Procedure/Trigger Execution | 19009 | Indicates that the database procedure or trigger execution was detected. | 1 |
| Schema Change | 19010 | Indicates that the schema for a procedure or trigger execution was altered. | 1 |
| Create Activity Attempted | 19011 | Indicates that creating activity was attempted. | 1 |
| Create Activity Succeeded | 19012 | Indicates that creating activity was successful. | 1 |
| Create Activity Failed | 19013 | Indicates that creating activity failed. | 3 |
| Read Activity Attempted | 19014 | Indicates that a reading activity was attempted. | 1 |
| Read Activity Succeeded | 19015 | Indicates that a reading activity was successful. | 1 |
| Read Activity Failed | 19016 | Indicates that reading activity failed. | 3 |
| Update Activity Attempted | 19017 | Indicates that updating activity was attempted. | 1 |
| Update Activity Succeeded | 19018 | Indicates that updating activity was successful. | 1 |
| Update Activity Failed | 19019 | Indicates that updating activity failed. | 3 |
| Delete Activity Attempted | 19020 | Indicates that deleting activity was attempted. | 1 |
| Delete Activity Succeeded | 19021 | Indicates that deleting activity was successful. | 1 |
| Delete Activity Failed | 19022 | Indicates that deleting activity failed. | 3 |
| Backup Activity Attempted | 19023 | Indicates that backup activity was attempted. | 1 |
| Backup Activity Succeeded | 19024 | Indicates that backup activity was successful. | 1 |
| Backup Activity Failed | 19025 | Indicates that backup activity failed. | 3 |
| Capture Activity Attempted | 19026 | Indicates that capturing activity was attempted. | 1 |
| Capture Activity Succeeded | 19027 | Indicates that capturing activity was successful. | 1 |
| Capture Activity Failed | 19028 | Indicates that capturing activity failed. | 3 |
| Configure Activity Attempted | 19029 | Indicates that configuration activity was attempted. | 1 |
| Configure Activity Succeeded | 19030 | Indicates that configuration activity was successful. | 1 |
| Configure Activity Failed | 19031 | Indicates that configuration activity failed. | 3 |
| Deploy Activity Attempted | 19032 | Indicates that deployment activity was attempted. | 1 |
| Deploy Activity Succeeded | 19033 | Indicates that deployment activity was successful. | 1 |
| Deploy Activity Failed | 19034 | Indicates that deployment activity failed. | 3 |
| Disable Activity Attempted | 19035 | Indicates that disabling activity was attempted. | 1 |
| Disable Activity Succeeded | 19036 | Indicates that disabling activity was successful. | 1 |
| Disable Activity Failed | 19037 | Indicates that disabling activity failed. | 3 |
| Enable Activity Attempted | 19038 | Indicates that enabling activity was attempted. | 1 |
| Enable Activity Succeeded | 19039 | Indicates that enabling activity was successful. | 1 |
| Enable Activity Failed | 19040 | Indicates that enabling activity failed. | 3 |
| Monitor Activity Attempted | 19041 | Indicates that monitoring activity was attempted. | 1 |
| Monitor Activity Succeeded | 19042 | Indicates that monitoring activity was successful. | 1 |
| Monitor Activity Failed | 19043 | Indicates that monitoring activity failed. | 3 |
| Restore Activity Attempted | 19044 | Indicates that restoring activity was attempted. | 1 |
| Restore Activity Succeeded | 19045 | Indicates that restoring activity was successful. | 1 |
| Restore Activity Failed | 19046 | Indicates that restoring activity failed. | 3 |
| Start Activity Attempted | 19047 | Indicates that starting activity was attempted. | 1 |
| Start Activity Succeeded | 19048 | Indicates that starting activity was successful. | 1 |
| Start Activity Failed | 19049 | Indicates that starting activity failed. | 3 |
| Stop Activity Attempted | 19050 | Indicates that stopping activity was attempted. | 1 |
| Stop Activity Succeeded | 19051 | Indicates that stopping activity was successful. | 1 |
| Stop Activity Failed | 19052 | Indicates that stopping activity failed. | 3 |
| Undeploy Activity Attempted | 19053 | Indicates that undeploy activity was attempted. | 1 |
| Undeploy Activity Succeeded | 19054 | Indicates that undeploy activity was successful. | 1 |
| Undeploy Activity Failed | 19055 | Indicates that undeploy activity failed. | 3 |
| Receive Activity Attempted | 19056 | Indicates that receiving activity was attempted. | 1 |
| Receive Activity Succeeded | 19057 | Indicates that receiving activity was successful. | 1 |
| Receive Activity Failed | 19058 | Indicates that receiving activity failed | 3 |
| Send Activity Attempted | 19059 | Indicates that sending activity was attempted. | 1 |
| Send Activity Succeeded | 19060 | Indicates that sending activity was successful. | 1 |
| Send Activity Failed | 19061 | Indicates that sending activity failed. | 3 |
Risk
The risk category contains events that are related to IBM QRadar Risk Manager.
The following table describes the low-level event categories and associated severity levels for the risk category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Policy Exposure | 20001 | Indicates that a policy exposure was detected. | 5 |
| Compliance Violation | 20002 | Indicates that a compliance violation was detected. | 5 |
| Exposed Vulnerability | 20003 | Indicates that the network or device has an exposed vulnerability. | 9 |
| Remote Access Vulnerability | 20004 | Indicates that the network or device has a remote access vulnerability. | 9 |
| Local Access Vulnerability | 20005 | Indicates that the network or device has local access vulnerability. | 7 |
| Open Wireless Access | 20006 | Indicates that the network or device has open wireless access. | 5 |
| Weak Encryption | 20007 | Indicates that the host or device has weak encryption. | 5 |
| Un-Encrypted Data Transfer | 20008 | Indicates that a host or device is transmitting data that is not encrypted. | 3 |
| Un-Encrypted Data Store | 20009 | Indicates that the data store is not encrypted. | 3 |
| Mis-Configured Rule | 20010 | Indicates that a rule is not configured properly. | 3 |
| Mis-Configured Device | 20011 | Indicates that a device on the network is not configured properly. | 3 |
| Mis-Configured Host | 20012 | Indicates that a network host is not configured properly. | 3 |
| Data Loss Possible | 20013 | Indicates that the possibility of data loss was detected. | 5 |
| Weak Authentication | 20014 | Indicates that a host or device is susceptible to fraud. | 5 |
| No Password | 20015 | Indicates that no password exists. | 7 |
| Fraud | 20016 | Indicates that a host or device is susceptible to fraud. | 7 |
| Possible DoS Target | 20017 | Indicates a host or device is a possible DoS target. | 3 |
| Possible DoS Weakness | 20018 | Indicates a host or device has a possible DoS weakness. | 3 |
| Loss of Confidentiality | 20019 | Indicates that a loss of confidentially was detected. | 5 |
| Policy Monitor Risk Score Accumulation | 20020 | Indicates that a policy monitor risk score accumulation was detected. | 1 |
Risk Manager Audit
The risk category contains events that are related to IBM QRadar Risk Manager audit events.
The following table describes the low-level event categories and associated severity levels for the Risk Manager audit category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Policy Monitor | 21001 | Indicates that a policy monitor was modified. | 3 |
| Topology | 21002 | Indicates that a topology was modified. | 3 |
| Simulations | 21003 | Indicates that a simulation was modified. | 3 |
| Administration | 21004 | Indicates that administrative changes were made. | 3 |
Control
The control category contains events that are related to your hardware system.
The following table describes the low-level event categories and associated severity levels for the control category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Device Read | 22001 | Indicates that a device was read. | 1 |
| Device Communication | 22002 | Indicates communication with a device. | 1 |
| Device Audit | 22003 | Indicates that a device audit occurred. | 1 |
| Device Event | 22004 | Indicates that a device event occurred. | 1 |
| Device Ping | 22005 | Indicates that a ping action to a device occurred. | 1 |
| Device Configuration | 22006 | Indicates that a device was configured. | 1 |
| Device Registration | 22007 | Indicates that a device was registered. | 1 |
| Device Route | 22008 | Indicates that a device route action occurred. | 1 |
| Device Import | 22009 | Indicates that a device import occurred. | 1 |
| Device Information | 22010 | Indicates that a device information action occurred. | 1 |
| Device Warning | 22011 | Indicates that a warning was generated on a device. | 1 |
| Device Error | 22012 | Indicates that an error was generated on a device. | 1 |
| Relay Event | 22013 | Indicates a relay event. | 1 |
| NIC Event | 22014 | Indicates a Network Interface Card (NIC) event. | 1 |
| UIQ Event | 22015 | Indicates an event on a mobile device. | 1 |
| IMU Event | 22016 | Indicates an event on an Integrated Management Unit (IMU). | 1 |
| Billing Event | 22017 | Indicates a billing event. | 1 |
| DBMS Event | 22018 | Indicates an event on the Database Management System (DBMS). | 1 |
| Import Event | 22019 | Indicates that an import occurred. | 1 |
| Location Import | 22020 | Indicates that a location import occurred. | 1 |
| Route Import | 22021 | Indicates that a route import occurred. | 1 |
| Export Event | 22022 | Indicates that an export occurred. | 1 |
| Remote Signaling | 22023 | Indicates remote signaling. | 1 |
| Gateway Status | 22024 | Indicates gateway status. | 1 |
| Job Event | 22025 | Indicates that a job occurred. | 1 |
| Security Event | 22026 | Indicates that a security event occurred. | 1 |
| Device Tamper Detection | 22027 | Indicates that the system detected a tamper action. | 1 |
| Time Event | 22028 | Indicates that a time event occurred. | 1 |
| Suspicious Behavior | 22029 | Indicates that suspicious behavior occurred. | 1 |
| Power Outage | 22030 | Indicates that a power outage occurred. | 1 |
| Power Restoration | 22031 | Indicates that power was restored. | 1 |
| Heartbeat | 22032 | Indicates that a heartbeat ping occurred. | 1 |
| Remote Connection Event | 22033 | Indicates a remote connection to the system. | 1 |
Asset Profiler
The asset profiler category contains events that are related to asset profiles.
The following table describes the low-level event categories and associated severity levels for the asset profiler category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Asset Created | 23001 | Indicates that an asset was created. | 1 |
| Asset Updated | 23002 | Indicates that an asset was updated. | 1 |
| Asset Observed | 23003 | Indicates that an asset was observed. | 1 |
| Asset Moved | 23004 | Indicates that an asset was moved. | 1 |
| Asset Deleted | 23005 | Indicates that an asset was deleted. | 1 |
| Asset Hostname Cleaned | 23006 | Indicates that a host name was cleaned. | 1 |
| Asset Hostname Created | 23007 | Indicates that a host name was created. | 1 |
| Asset Hostname Updated | 23008 | Indicates that a host name was updated. | 1 |
| Asset Hostname Observed | 23009 | Indicates that a host name was observed. | 1 |
| Asset Hostname Moved | 23010 | Indicates that a host name was moved. | 1 |
| Asset Hostname Deleted | 23011 | Indicates that a host name was deleted. | 1 |
| Asset Port Cleaned | 23012 | Indicates that a port was cleaned. | 1 |
| Asset Port Created | 23013 | Indicates that a port was created. | 1 |
| Asset Port Updated | 23014 | Indicates that a port was updated. | 1 |
| Asset Port Observed | 23015 | Indicates that a port was observed. | 1 |
| Asset Port Moved | 23016 | Indicates that a port was moved. | 1 |
| Asset Port Deleted | 23017 | Indicates that a port was deleted. | 1 |
| Asset Vuln Instance Cleaned | 23018 | Indicates that a vulnerability instance was cleaned. | 1 |
| Asset Vuln Instance Created | 23019 | Indicates that a vulnerability instance was created. | 1 |
| Asset Vuln Instance Updated | 23020 | Indicates that a vulnerability instance was updated. | 1 |
| Asset Vuln Instance Observed | 23021 | Indicates that a vulnerability instance was observed. | 1 |
| Asset Vuln Instance Moved | 23022 | Indicates that a vulnerability instance was moved. | 1 |
| Asset Vuln Instance Deleted | 23023 | Indicates that a vulnerability instance was deleted. | 1 |
| Asset OS Cleaned | 23024 | Indicates that an operating system was cleaned. | 1 |
| Asset OS Created | 23025 | Indicates that an operating system was created. | 1 |
| Asset OS Updated | 23026 | Indicates that an operating system was updated. | 1 |
| Asset OS Observed | 23027 | Indicates that an operating system was observed. | 1 |
| Asset OS Moved | 23028 | Indicates that an operating system was moved. | 1 |
| Asset OS Deleted | 23029 | Indicates that an operating system was deleted. | 1 |
| Asset Property Cleaned | 23030 | Indicates that a property was cleaned. | 1 |
| Asset Property Created | 23031 | Indicates that a property was created. | 1 |
| Asset Property Updated | 23032 | Indicates that a property was updated. | 1 |
| Asset Property Observed | 23033 | Indicates that a property was observed. | 1 |
| Asset Property Moved | 23034 | Indicates that a property was moved. | 1 |
| Asset Property Deleted | 23035 | Indicates that a property was moved. | 1 |
| Asset IP Address Cleaned | 23036 | Indicates that an IP address was cleaned. | 1 |
| Asset IP Address Created | 23037 | Indicates that an IP address was created. | 1 |
| Asset IP Address Updated | 23038 | Indicates that an IP address was updated. | 1 |
| Asset IP Address Observed | 23039 | Indicates that an IP address was observed. | 1 |
| Asset IP Address Moved | 23040 | Indicates that an IP address was moved. | 1 |
| Asset IP Address Deleted | 23041 | Indicates that an IP address was deleted. | 1 |
| Asset Interface Cleaned | 23042 | Indicates that an interface was cleaned. | 1 |
| Asset Interface Created | 23043 | Indicates that an interface was created. | 1 |
| Asset Interface Updated | 23044 | Indicates that an interface was updated. | 1 |
| Asset Interface Observed | 23045 | Indicates that an interface was observed. | 1 |
| Asset Interface Moved | 23046 | Indicates that an interface was moved. | 1 |
| Asset Interface Merged | 23047 | Indicates that an interface was merged. | 1 |
| Asset Interface Deleted | 23048 | Indicates that an interface was deleted. | 1 |
| Asset User Cleaned | 23049 | Indicates that a user was cleaned. | 1 |
| Asset User Observed | 23050 | Indicates that a user was observed. | 1 |
| Asset User Moved | 23051 | Indicates that a user was moved. | 1 |
| Asset User Deleted | 23052 | Indicates that a user was deleted. | 1 |
| Asset Scanned Policy Cleaned | 23053 | Indicates that a scanned policy was cleaned. | 1 |
| Asset Scanned Policy Observed | 23054 | Indicates that a scanned policy was observed. | 1 |
| Asset Scanned Policy Moved | 23055 | Indicates that a scanned policy was moved. | 1 |
| Asset Scanned Policy Deleted | 23056 | Indicates that a scanned policy was deleted. | 1 |
| Asset Windows Application Cleaned | 23057 | Indicates that a Windows application was cleaned. | 1 |
| Asset Windows Application Observed | 23058 | Indicates that a Windows application was observed. | 1 |
| Asset Windows Application Moved | 23059 | Indicates that a Windows application was moved. | 1 |
| Asset Windows Application Deleted | 23060 | Indicates that a Windows application was deleted. | 1 |
| Asset Scanned Service Cleaned | 23061 | Indicates that a scanned service was cleaned. | 1 |
| Asset Scanned Service Observed | 23062 | Indicates that a scanned service was observed. | 1 |
| Asset Scanned Service Moved | 23063 | Indicates that a scanned service was moved. | 1 |
| Asset Scanned Service Deleted | 23064 | Indicates that a scanned service was deleted. | 1 |
| Asset Windows Patch Cleaned | 23065 | Indicates that a Windows patch was cleaned. | 1 |
| Asset Windows Patch Observed | 23066 | Indicates that a Windows patch was observed. | 1 |
| Asset Windows Patch Moved | 23067 | Indicates that a Windows patch was moved. | 1 |
| Asset Windows Patch Deleted | 23068 | Indicates that a Windows patch was deleted. | 1 |
| Asset UNIX Patch Cleaned | 23069 | Indicates that a UNIX patch was cleaned. | 1 |
| Asset UNIX Patch Observed | 23070 | Indicates that a UNIX patch was observed. | 1 |
| Asset UNIX Patch Moved | 23071 | Indicates that a UNIX patch was moved. | 1 |
| Asset UNIX Patch Deleted | 23072 | Indicates that a UNIX patch was deleted. | 1 |
| Asset Patch Scan Cleaned | 23073 | Indicates that a patch scan was cleaned. | 1 |
| Asset Patch Scan Created | 23074 | Indicates that a patch scan was created. | 1 |
| Asset Patch Scan Moved | 23075 | Indicates that a patch scan was moved. | 1 |
| Asset Patch Scan Deleted | 23076 | Indicates that a patch scan was deleted. | 1 |
| Asset Port Scan Cleaned | 23077 | Indicates that a port scan was cleaned. | 1 |
| Asset Port Scan Created | 23078 | Indicates that a port scan was cleaned. | 1 |
| Asset Port Scan Moved | 23079 | Indicates that a patch scan was moved. | 1 |
| Asset Port Scan Deleted | 23080 | Indicates that a patch scan was deleted. | 1 |
| Asset Client Application Cleaned | 23081 | Indicates that a client application was cleaned. | 1 |
| Asset Client Application Observed | 23082 | Indicates that a client application was observed. | 1 |
| Asset Client Application Moved | 23083 | Indicates that a client application was moved. | 1 |
| Asset Client Application Deleted | 23084 | Indicates that a client application was deleted. | 1 |
| Asset Patch Scan Observed | 23085 | Indicates that a patch scan was observed. | 1 |
| Asset Port Scan Observed | 23086 | Indicates that a port scan was observed. | 1 |
| NetBIOS Group Created | 23087 | Indicates that a NetBIOS group was created. | 1 |
| NetBIOS Group Updated | 23088 | Indicates that a NetBIOS group was updated. | 1 |
| NetBIOS Group Observed | 23089 | Indicates that a NetBIOS group was observed. | 1 |
| NetBIOS Group Deleted | 23090 | Indicates that a NetBIOS group was deleted. | 1 |
| NetBIOS Group Cleaned | 23091 | Indicates that a NetBIOS group was cleaned. | 1 |
| NetBIOS Group Moved | 23092 | Indicates that a NetBIOS group was moved. | 1 |
Sense
The sense category contains events that are related to sense user behavior analytics.
The following table describes the low-level event categories and associated severity levels for the sense category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| User Behavior | 24001 | Indicates the user's behavior. | 5 |
| User Geography | 24002 | Indicates the user's geography. | 5 |
| User Time | 24003 | Indicates the user's time. | 5 |
| User Access | 24004 | Indicates the user's access. | 5 |
| User Privilege | 24005 | Indicates the user's privilege. | 5 |
| User Risk | 24006 | Indicates the user's risk. | 5 |
| Sense Offense | 24007 | Indicates that a sense offense occurred. | 5 |
| Resource Risk | 24008 | Indicates the resources that are at risk. | 5 |