Event Class IDs
The following table describes the meaning of each Event Class ID and the data included in the extension for that event type. For an explanation of how OT Security uses each of the CEF fields included in the Extensions, see Extension Parameters — CEF Keys.
| ID | Name | Description |
|---|---|---|
| 0 | Unknown | Unidentified alert event. |
| 01-94 | [the type of activity that occurred] | A command sent to execute a particular type of activity to a controller in the network. For example, the Rockwell Code Download event type indicates a command sent for code download to a Rockwell controller. |
| 95 | New Asset Discovered | Detected a new asset in the network. |
| 96 | New Module | Addition of a new module to a backplane in the network. |
| 97 | IP Conflict | Multiple assets in the network use the same IP address. |
| 98 | ARP Scan Detected | Detected an Address Resolution Protocol (ARP) scan indicative of reconnaissance activity in the network. |
| 99 |
SYN Scan Detected Port Scan |
Detected a SYN scan indicative of reconnaissance activity in the network. |
| 100-107 | Inactive Asset for [time period] Minutes | An asset was inactive in the network for the specified period of time. Possible time periods are: 15 minutes, 30 minutes, one hour, 3 hours, 12 hours, one day, or one week. |
| 108 | Snapshot Mismatch |
The latest snapshot, which reflects the current state of the program deployed on a controller, differs from the previous snapshot of the same controller. |
| 109 | Unauthorized Conversation | Detected a conversation between the specified assets in the network. |
| 110 | Change in State | The controller changed between operational states. For example, running, stopped, test, and so on. |
| 111 | Change in Key State | Detected a change to the controller state by adjusting the physical key position. |
| 112 | Change in FW Version | Detected a change to the firmware running on the controller. |
| 113 | Unauthorized Tag Write | Detected an unauthorized CIP (Common Industrial Protocol) write of tag values on a controller. |
| 114 | Open Port | Detected a new open port in your network. |
| 115 | Baseline Deviation | Detected a new connection between assets that did not communicate with each other during the Network Baseline sampling period. |
| 116 | Module not Seen | A previously identified module is no longer detected on its backplane. |
| 117 | RDP Connection With Authentication | An RDP (Remote Desktop Protocol) connection was made between assets in your network, using authentication credentials. |
| 118 | RDP Connection Without Authentication | Detected an RDP connection between assets in your network, without using authentication credentials. |
| 119 | Intrusion Detected | Detected network traffic indicative of intrusion threats based on the Suricata Emerging Threat rules. |
| 120 | Modbus Exception Occurred: Illegal Function | Detected an illegal function error code in the Modbus protocol. |
| 121 | Modbus Exception Occurred: Illegal Data Address | Detected an illegal data address error code in the Modbus protocol. |
| 122 | Modbus Exception Occurred: Illegal Data Value | Detected an illegal data address error code in the Modbus protocol. |
| 123 | Traffic Data Spike Detected | Detected a dramatic increase in the volume of network traffic. |
| 124 | Traffic Conversation Count Spike Detected | Detected a dramatic increase in the number of conversations. |
| 125 | Change in Windows USB State | Detected a connection to or removal of a USB device from a Windows-based workstation. |
| 126-143 | [the type of activity that occurred] | A command sent to a controller in the network to execute a particular type of activity. For example, the Rockwell Code Download event type indicates a command sent for a code download to a Rockwell controller. |
| 144-166 | DNP3 [the type of Event that occurred] | A command sent using the DNP3 protocol. Example commands include select, operate, warm/cold restart, and so on. It also detects errors originating from internal indicators such as unsupported function codes and parameter errors. |
| 167-169 | Honeywell [the type of Event that occurred] | A command sent to a Honeywell PLC causing a state change: warm restart, cold restart, or stop. |
| 170, 171 | FTP [the type of Event that occurred] | An attempt to log in using the FTP protocol (failed or successful). |
| 172-174 | Telnet [the type of Event that occurred] | An attempt to log in using the Telnet protocol (successful, failed, or not detected). |
| 175-177 | Saia [the type of Event that occurred] | A command sent to a Saia PLC causing a state change: start, cold restart, or stop. |
| 178-186 | [the type of activity that occurred] | A command sent to execute a particular type of activity to a controller in the network. |
| 187-188 | MMS Define Variable List | A command sent to define the Manufacturing Message Specification (MMS) variable list. |
| 188 | MMS Delete Variable List | A command sent to delete the MMS variable list. |
| 189 | ICCP Create Data Set | A command sent using the Inter-Control Center Communications Protocol (ICCP). |
| 190 | ICCP Bilateral Table Exchange | A command sent using the Inter-Control Center Communications Protocol (ICCP). |
| 191 | Rediscovered Asset | Rediscovered a new asset in the network. |
| 192-195 | [the type of activity that occurred] | A command sent to execute a particular type of activity to a controller in the network. |
| 196-197 | IEC 61850 [the type of event that occurred] | Detected a subscription failure or an authorized write command. |