Table of contents

Rank events to quantify their importance

The ranking system provides a way to quantify the importance of events. By assigning asset values to computers, and assigning severity or risk values to rules, the importance (ran") of an event is calculated by multiplying the two values together. This allows you to sort events by rank.

Unlike the other modules, Anti-Malware does not use asset values to rank event importance.

Web Reputation event risk values

Risk values for Web Reputation events are linked to the three levels of risk used by the Web Reputation settings on the General tab of the Web Reputation page:

  • Dangerous: corresponds to "A URL that has been confirmed as fraudulent or a known source of threats."
  • Highly Suspicious: corresponds to "A URL that is suspected to be fraudulent or a known source of threats."
  • Suspicious: corresponds to "A URL that is associated with spam or possibly compromised."
  • Blocked by Administrator: A URL that is on the Web Reputation Service Blocked list.
  • Untested: A URL that does not have a risk level.

Firewall rule severity values

Severity values for Firewall rules are linked to their actions: Deny, Log Only, and Packet Rejection. The latter refers to packets rejected because of a Firewall stateful configuration setting. Use this panel to edit the severity values which are multiplied by a computer's asset value to determine the rank of a Firewall event. A Firewall rule's actions can be viewed and edited in the rule's Properties window.

Intrusion Prevention rule severity values

Intrusion Prevention rule severity values are linked to their severity levels: Critical, High, Medium, Low, or Error. Use this panel to edit their values which will be multiplied by a computer's asset value to determine the rank of an Intrusion Prevention event. An Intrusion Prevention rule's severity setting can be viewed in the rule's Properties window.

Integrity Monitoring rule severity values

Integrity Monitoring rule severity values are linked to their severity levels: Critical, High, Medium, or Low. Use this panel to edit their values which will be multiplied by a computer's asset value to determine the rank of an Integrity Monitoring event. An Integrity Monitoring rule's severity can be viewed in the rule's Properties window.

Log Inspection rule severity values

Log Inspection rule severity values are linked to their severity levels: Critical, High, Medium, or Low. Use this panel to edit their values which will be multiplied by a computer's asset value to determine the rank of a Log Inspection event. A Log Inspection rule's severity level can be viewed and edited from the rule's Properties window.

Asset values

Asset values are not associated with any of their other properties like Intrusion Prevention rules or Firewall rules. Instead, asset values are properties in themselves. A computer's asset value can be viewed and edited from the computer's Details window. To simplify the process of assigning asset values, you can predefine some values that will appear in the Asset Importance list in the first page of the computer's Details window. To view existing predefined computer asset values, click the View Asset Values button in this panel. The Asset Values window displays the predefined settings. These values can be changed, and new ones can be created. New settings will appear in the list for all computers.