Concept of security events and security groups
The core of dhound functionality is security event concept. Dhound-agent collects security events on servers/devices and sends it on dhound servers where the information is analyzed, aggregated and visualized.
Security EventsSecurity Event metadata has the following important fields:
- Security Id (sid): unique identifier of security event; reserved sids for custom events: 100000-200000
- Message: user friendly message about suspicous activity
- Default status: default status that will be assigned on security event after first analysis (warning, suspicious, reliable)
- Default Security Group: security group that event will be associated to; can be reassigned in rule files of dhound-agent
Security GroupsSecurity events are aggregated into containers called security groups.
Security Group metadata has the following important fields:
- Security Group Id (gid): unique identifier of security group; reserved gids for custom groups: 100000-200000
- Name: human readable name