The ranking system provides a way to quantify the importance of events. By assigning
"asset values" to computers, and assigning severity or risk values to rules, the importance
("rank") of an event is calculated by multiplying the two values together. This allows
you to sort events by rank.
 |
NoteUnlike the other modules, Anti-Malware does not use asset values to rank event importance.
|
Web Reputation event risk values
Risk values for Web Reputation events are linked to the three levels of risk used
by the Web Reputation settings on the General tab of the Web Reputation page:
- Dangerous: corresponds to "A URL that has been confirmed as fraudulent or a known source of threats."
- Highly Suspicious: corresponds to "A URL that is suspected to be fraudulent or a known source of threats."
- Suspicious: corresponds to "A URL that is associated with spam or possibly compromised."
- Blocked by Administrator: A URL that is on the Web Reputation Service Blocked list.
- Untested: A URL that does not have a risk level.
Firewall rule severity values
Severity values for Firewall rules are linked to their actions: Deny, Log Only, and
Packet Rejection. (The latter refers to packets rejected because of a Firewall stateful
configuration setting.) Use this panel to edit the severity values which will be multiplied
by a computer's asset value to determine the rank of a Firewall event. (A Firewall
rule's actions can be viewed and edited in the rule's Properties window.)
Intrusion Prevention rule severity values
Intrusion Prevention rule severity values are linked to their severity levels: Critical,
High, Medium, Low, or Error. Use this panel to edit their values which will be multiplied
by a computer's asset value to determine the rank of an Intrusion Prevention event.
An Intrusion Prevention rule's severity setting can be viewed in the rule's Properties window.
Integrity Monitoring rule severity values
Integrity Monitoring rule severity values are linked to their severity levels: Critical,
High, Medium, or Low. Use this panel to edit their values which will be multiplied
by a computer's asset value to determine the rank of an Integrity Monitoring event.
An Integrity Monitoring rule's severity can be viewed in the rule's Properties window.
Log Inspection rule severity values
Log Inspection rule severity values are linked to their severity levels: Critical,
High, Medium, or Low. Use this panel to edit their values which will be multiplied
by a computer's asset value to determine the rank of a Log Inspection event. A Log
Inspection rule's severity level can be viewed and edited from the rule's Properties window.
Asset values
Asset values are not associated with any of their other properties like Intrusion
Prevention rules or Firewall rules. Instead, asset values are properties in themselves.
A computer's asset value can be viewed and edited from the computer's Details window. To simplify the process of assigning asset values, you can predefine some
values that will appear in the Asset Importance list in the first page of the computer's Details window. To view existing predefined computer asset values, click the View Asset Values button in this panel. The Asset Values window displays the predefined settings. These values can be changed, and new ones
can be created. (New settings will appear in the list for all computers.)