User Guide¶
DBN TA Source Types¶
Splits incoming feed into:
system_counters
: This source type is used for various system counter information includingcnt
: An external dump of the internal counter’s page, lists stats for incoming feed and engine processingsys
: Contains system level information including free memory, cache, and system uptimeslowsys
: A more complete set of system level information including airflow readings, disk usage, and wear indicatorsdbfwsys
: Information specific to the DBFW process running
sqli_events
: SQL injection events will be associated with this sourcetype. This includes two subevent typesdistinct_event
: description of the first sql statement which is deemed a potential sql injection attackrepeat_event
: events which match an injection on a statement already alerted on
discovery_events
: These alerts are triggered in response to new events within the flows being monitored but without rising to the level of an attack.mds_new_user
: A new user is seen for the first timemds_new_service
: a new service is seen for the first timemds_new_host
: a new host is seen for the first timemds_new_listener
: a new listener is seen for the first timetally_new_ipseity
: a new context is seen linking client and servicer in dimensions (tally board, user, service, client, server)
health_events
: contains events mainly involving engineering metricsheart_beat
: used to monitor system up status on a more frequent basis thandbfwsys
engine_start
: used to monitor for engine restartsarchive
: Indicates status of overnight system archive tooldbfw_gc
: Indicates a system restart due to overload of datadbdu
: postgres database disk usage
insider_threat_events
: events related to table level analysis preformed with the insider threat moduleaudit
: events exported by native device auditingupgrade
: raw dump of upgrade messages for external viewinginternal
: catch for bad output of internal messages, trashed