Prioritization Fields
Events include fields whose values help you evaluate each event's overall priority and importance, and determine which events you should investigate first. The prioritization field values take into account a number of factors including:
-
Vulnerability of the Target Asset
-
Active List Contents
-
Open Ports on the Target Asset
-
Asset Criticality
|
Data Field |
Description |
|---|---|
|
Model Confidence |
Is the target asset modeled and if so, to what degree? This factor depicts the confidence we have in our model. This value depends heavily on whether target assets of interest are modeled in the system. If the only data point for an asset is its ID, then it is likely that this is either an asset range, or an asset that was modeled manually. The fact that the target asset is in the system at all provides some degree of model confidence. Model confidence is higher, though, if the target asset has been scanned for open ports and vulnerabilities. |
|
Asset Criticality |
How important is the Asset? This factor encompasses the criticality of the attacked asset. |
|
Relevance |
Does it appear probable that the attack succeeded? This factor performs an open port correlation (check to see if the target port is open) and vulnerability correlation (check to see if one of the exploited vulnerabilities is exposed). |
|
Severity |
How serious is this attack? This factor encompasses the severity of the event (ArcSight Severity), the severity of the exploited vulnerability (how much it is exposed), any user-supplied filter weighting, and the presence of the Source IP Address in various compromised and hostile active lists. |
|
Priority |
Should this event be investigated right away or not? This value is calculated by a formula that considers the values of the previous four fields, as described in the next topic. |