HIDS 1002

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

1002

Status

Active rule currently published.

Description

This rule is a catch all rule that detects new events that ASL does not yet understand. When this happens, ASL will report "Unknown problem somewhere in the system.". Anytime this occurs ASL will email you the event, even though a 1002 event may be set at a lower level alert than what you may have ASL configured as the minimum level to send emails. 1002's are always emailed because ASL does not know what they are, they may be important and the system is seeking a humans advice about what to with this unknown event.

These unknown events could be benign and harmless events, or they could be serious problems or event attacks on the systems. When ASL does not know what an event is, it will do some additional analysis on the event and if the log entry contains words that lead ASL to believe this is an error or a potentially malicious event, it will alert you that an unknown event has occurred.

If you get a 1002 alert, and you do not know what it is simply click the "False Negative" button in the GUI. This will open a priority case with the support team, they will investigate the event and will be in contact with you. If the event requires new rules, they will generally make those available the same business day you report the event.

False Positives

This rule can only be triggered if the event is unknown to ASL. Therefore, there can never be a false positive with this rule, this rule is just a catch all for anything ASL does not recognize. Because we want ASL to know as much as possible, please report this as a False Positive so that we can investigate what this log message is and add it to ASLs library of events. In general you should expect the support team to follow up with some questions about this event to help us to understand it better. If the support team requires additional information, they will

Tuning Recommendations

None.

Similar Rules

Personal tools