Skip to main content

CSE Normalized Classification

This topic describes how CSE applies normalized classification to Records. 

In CSE Records can be classified at two levels. First, all Records are classified at a high level by Record Type. At a more detailed level, you can classify more specifically using Normalized Classification Fields alongside the mapped attributes within a Record.

Record Types

Every CSE Record has a Record Type. A Record Type classifies the nature of the event that the Record describes. CSE Record Types include Authentication, Endpoint, NetworkHTTP and so on.

A Record’s type is set by the log mapping that processes it. For more information, see CSE Record Types.

Normalized Classification Fields

For more granular classification of a Record, CSE uses Normalized Classification Fields. These are special normalized schema fields that have an enforced output defined by CSE. These fields provide a taxonomy that can be used to tie Records from multiple vendors and products together in a standard way. Rather than holistically trying to describe a Record as Record Type does, these fields exist alongside commonly used normalization schema fields which most often contain the what, where, and why of a particular Record. This allows for far more dynamic and specific classification of a Record than Record Type alone. 

Normalized Classification Fields are completely optional when creating a log mapping. When using Normalized Classification Fields, it is best to consider whether a parallel normalized schema field exists for the Record and whether there is an analogous enforced output available in the desired Normalized Classification Field. These fields will most typically utilize the lookup unless the vendor log output exactly matches the enforced outputs or a constant value is assigned.

note
  • When creating a log mapping, if the output value used for a given Normalized Classification Field is not listed in the Enforced Output Values for that field, it will not be populated.
  • Normalized Classification Fields are a new feature and will be backfilled to existing out-of-the-box mappings over time.

normalizedAction

Complementary to the action field, the normalizedAction field describes the initiation of an activity in a standard way across Records. normalizedAction is meant to describe an attempt to perform an action, using the success boolean as a modifier to indicate whether or not the action was successful. Note that normalizedAction should be used with normalizedResource to indicate where an action was attempted, or the resource or entity upon which the action was attempted.

Enforced Output ValueDescription
abortUse for actions synonymous with "abort". For instance, in an event describing the attempt, successful or not, to interrupt an ongoing task.
allowUse for actions synonymous with "allow”. For instance, in an event describing the attempt, successful or not, to permit an object or the occurrence of an activity. This is common in actions pertaining to network traffic.
changeUse for actions synonymous with "change". For instance, in an event describing the attempt, successful or not, to modify a resource.
cleanUse for actions synonymous with "clean". For instance, in an event describing the attempt, successful or not, of the sanitization of a resource. Common in actions pertaining to anti-malware.
createUse for actions synonymous with "create". For instance, in an event describing the attempt, successful or not, to create a resource.
decryptUse for actions synonymous with "decrypt". For instance, in an event describing the attempt, successful or not, of the decryption of a resource
deleteUse for actions synonymous with "delete". For instance, in an event describing the attempt, successful or not, to create a resource.
denyUse for actions synonymous with "deny". For instance, in an event describing the attempt, successful or not, to reject an object or the occurrence of an activity. Common in actions pertaining to network traffic.
domainLogonUse for events describing the attempt, successful or not, to leverage domain resources to attempt credential validation.
disableUse for actions synonymous with "disable". For instance, in an event describing the attempt, successful or not, to render a resource inactive and/or unable. Common in actions pertaining to identity and access management.
enableUse for actions synonymous with "enable". For instance, in an event describing the attempt, successful or not, to render a resource active and/or able. Common in actions pertaining to identity and access management.
executeUse for actions synonymous with "execute". For instance, in an event describing the attempt, successful or not, to initiate the performance of a task.
ignoreUse for actions synonymous with "ignore". For instance, in an event describing the attempt, successful or not, to disregard a resource or the occurrence of an activity.
inspectUse for actions synonymous with "inspect". For instance, in an event describing the attempt, successful or not, to submit a resource to further scrutiny.
installUse for actions synonymous with "install". For instance, in an event describing the attempt, successful or not, of the installation of a piece of software or hardware.
lockUse for actions synonymous with "lock". For instance, in an event describing the attempt, successful or not, to make a resource secure or inaccessible. Common in actions pertaining to identity and access management.
logoffUse for actions synonymous with "logoff". For instance, in an event describing the attempt, successful or not, of a computer, service, or user account logging off.
logonUse for actions synonymous with "logon". For instance, in an event describing the attempt, successful or not, of a computer, service, or user account logging in.
quarantineUse for actions synonymous with "quarantine". For instance, in an event describing the attempt, successful or not, of isolating a resource. Common in actions pertaining to anti-malware.
receiveUse for actions synonymous with "receive". For instance, in an event describing the attempt, successful or not, to accept the arrival of a resource. Common in actions pertaining to email.
resetUse for actions synonymous with "reset". For instance, in an event describing the attempt, successful or not, to discard the current state of a resource. Common in actions pertaining to network network traffic and identity access management, depending on context.
restoreUse for actions synonymous with "restore". For instance, in an event describing the attempt, successful or not, to re-establish the prior state of a resource. Common in actions pertaining to backups.
scanUse for actions synonymous with "scan". For instance, in an event describing the attempt, successful or not, to initiate a scan of a resource. Common in actions pertaining to anti-malware.
sendUse for actions synonymous with "send". For instance, in an event describing the attempt, successful or not, to dispatch a resource. Common in actions pertaining to email.
startUse for actions synonymous with "start". For instance, in an event describing the attempt, successful or not, to initiate an activity.
stopUse for actions synonymous with "stop". For instance, in an event describing the attempt, successful or not, to cease an activity.
uninstallUse for actions synonymous with "uninstall". For instance, in an event describing the attempt, successful or not, to remove a piece of software or hardware.

normalizedResource

Complementary to the resource field, this field describes the resource being acted upon or otherwise referenced within a Record in a standard way across Records. Intended to be used to provide further normalized context to a Record, particularly in tandem with normalizedAction.

Enforced Output ValueDescription
accountUse where the resource being acted upon or referenced in a Record pertains to an account.
applicationUse where the resource being acted upon or referenced in a Record pertains to an application.
backupUse where the resource being acted upon or referenced in a Record pertains to a backup.
bucketUse where the resource being acted upon or referenced in a Record pertains to a specific bucket. Common in cloud computing.
databaseUse where the resource being acted upon or referenced in a Record pertains to a database.
directoryUse where the resource being acted upon or referenced in a Record pertains to a directory or similar hierarchical organizational unit.
emailUse where the resource being acted upon or referenced in a Record pertains to email or email delivery.
fileUse where the resource being acted upon or referenced in a Record pertains to a file.
groupUse where the resource being acted upon or referenced in a Record pertains to a group, for example, an organizational unit, security group, user group, computer group, access control list, and so on.
instanceUse where the resource being acted upon or referenced in a Record pertains to a specific machine instance, typically virtual. Common in cloud computing.
keyUse where the resource being acted upon or referenced in a Record pertains to a cryptographic key.
malwareUse where the resource being acted upon or referenced in a Record pertains to malware itself or the prevention, detection, or removal of malware.
networkUse where the resource being acted upon or referenced in a Record is or pertains to network traffic.
operating systemUse where the resource being acted upon or referenced in a Record pertains to an operating system component.
processUse where the resource being acted upon or referenced in a Record pertains to a process
roleUse where the resource being acted upon or referenced in a Record pertains to a role. Common in cloud computing.
scheduled taskUse where the resource being acted upon or referenced in a Record pertains to a scheduled task or analogous functionality.
serviceUse where the resource being acted upon or referenced in a Record pertains to a service.

normalizedCause

Complementary to the cause \field, this field describes the reason for any particular outcome in a Record in a standard way.

Enforced Output ValueDescription
incorrect passwordFor a Record describing an authentication failure where the cause of the failure was an incorrect password.
incorrect usernameFor a Record describing an authentication failure where the cause of the failure was an incorrect username.
failed challengeFor a Record describing an authentication failure where the cause of the failure was a failed multi-factor authentication challenge or other secondary authentication challenge, such as a security question.
system errorFor a Record describing a failed operation where the cause of the failure was a system error.
allow listFor a Record describing the successful outcome of an operation based on the presence of an object on an allow list. For instance, an Allow ACL.
deny listFor a Record describing the failed outcome of an operation based on the presence of an object on a deny list. For instance, a Deny ACL.

success

True or false showing whether or not an action or event Recorded in a log was successful. This field is either defined as a constant or based on a lookup in a mapping.

normalizedSeverity

Severity score on a scale of 0 to 10 with 0 being informational and 10 being critical. This is defined either explicitly per mapping or by a lookup to normalize a vendor specific severity level. Certain normalized threat rules will use normalizedSeverity to pass a dynamic severity into the signal.

Examples

Failed User Logon

Record TypeAuthentication
normalizedActionlogon
normalizedResourceaccount
normalizedCauseincorrect password
successfalse

Firewall Denied Traffic

Record TypeNetwork
normalizedResourcenetwork
normalizedActiondeny
normalizedCausedeny list
successfalse
normalizedSeverity2

Successful Process Execution

Record TypeEndpointProcess
normalizedResourceprocess
normalizedActionexecute
successtrue

Successful Account Management

Record TypeAudit
normalizedActionchange
normalizedResourceaccount
successtrue
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.