About Events

Events are behaviors that may indicate malicious activity on the network.

Event Types

The following event types are detected by the Malware Analysis appliance:

• Alerts update—ATI Alert Update events. This type of event requires an ATI license.
• Domain match—An attempt to access a domain identified as a source of malicious behavior has been detected.
• Infection match—One or more appliances that match known signs of infection has been detected.

• IPS critical—An intrusion prevention system (IPS) event has been detected.

  All IPS events trigger an rsyslog notification. Only events with a severity level at or above seven (7) trigger HTTP, email (SMTP), and SNMP notifications.

• lnec-alerts—An LNEC event has been detected.
• Malware callback—An established connection between an infected host and a Command and Control (CnC) server has been detected.
• Malware object—File attachments with a malicious executable payload has been detected.
• Web infection—A Web browser initiating an outbound connection to what resolves to be a malicious (usually external) website has been detected.

Based on your organizational preferences, you can enable or disable specific alert types. You can also map different alert types to different notification receivers.

This section covers notifications triggered by network (malware) alerts. It does not cover notifications triggered by system events. For information on system event notifications, see the system administration guide.