<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">

How to Prioritize Event IDs in Exabeam and USM Anywhere

Categorizing event severity is critical to successfully managing your information security capabilities. 


It’s a basic fact – some threats are simply more urgent than others. 

Many organizations have security information and event management (SIEM) platforms that simply deliver alerts as they’re generated. This chronological approach makes sense in a low-volume situation, but it quickly breaks down as the number of alerts rises. 

Security professionals should not have to sift through hundreds of low-severity alerts before addressing high-impact critical vulnerabilities. This slows down incident response and gets in the way of operational efficiency. It heightens security risks without providing clear benefits. 

This is why modern SIEM platforms allow security professionals to prioritize event IDs and push urgent threats to the top of their feed. This lets analysts investigate the most suspicious activities first, potentially blocking cyberattacks earlier in the kill chain than otherwise possible. 

📊 Learn more 

Understanding the Cyber Kill Chain

Get started.

However, every SIEM platform works a little differently. Both Exabeam and USM Anywhere users can prioritize specific event IDs and fast-track the resolution of critical vulnerabilities in different ways. 


Understanding Your Event Priority Framework 

There is no one-size-fits-all solution to prioritizing security events. Security analysts need to be able to prioritize specific event types according to the unique needs of the organization itself. These priorities may change depending on the organization, role, and scenario under consideration. Experienced analysts may have personal preferences that aren’t part of any standard operating procedure. 

As a result, your organization's event priority framework is a flexible, customizable policy. It normalizes incoming event data into numeric values and expresses those values as factors, which combine to create a final event prioritization value. 

Individual servers and user accounts do not operate in isolation. Some parts of your network infrastructure are more sensitive than others. A well-structured event priority framework takes these facts into consideration through multiple factors. 

  • Event Impact. This metric corresponds to the impact of a particular security event independently of the host or system it effects. 
  • Host Importance. This metric refers to the confidentiality, integrity, and availability of specific network entities. It takes their connectivity to other network hosts into account. 
  • Comprehensive Event Effect. This metric combines the event impact with the host importance rating of specific network infrastructure. It changes depending on how sensitive the targeted host is. 
  • Event Propagability. Some threats move faster through networks than others. This metric captures the speed and ease with which a particular event can spread through a network. 
  • Event Clustering. Security incidents don’t happen randomly. They are often targeted and synchronized so that multiple exploits occur at once. This metric captures the ability for multiple targeted attacks to cause greater damage than each individual exploit taken on its own. 
  • Event Priority Value. This metric combines the Comprehensive Event Effect with its Event Propagability and Event Clustering modifiers to create a single figure that represents the severity of the threat. 


How to Prioritize Event IDs in Exabeam in Windows 

Exabeam leverages log data to identify events that may constitute security incidents. Endpoint logs that come from laptops, phones, and other devices are an important part of this equation. Windows administrators can use Event Viewer to access and view security logs covering nine different categories: 

  • Account logon events 
  • Account management 
  • Directory service access 
  • Logon events 
  • Object access 
  • Policy change 
  • Privilege use 
  • Process tracking 
  • System events 

Some of the most common event codes used by Windows administrators when conducting security investigations include: 

Event ID 

What it means 


Successful log on 


Failed log on 


Account log off 


Log on attempt with explicit credentials 


System audit policy change 


Special group assigned to new log on attempt 


Audit log cleared 


New user account created 


User account enabled 


Attempt to change password 


User account disabled 


User added to privileged global group 


User added to privileged local group 


User was added to privileged universal group 


Change to user account 


User locked out of an account 


User account unlocked 


Change to privileged local group 


Change to privileged global group 


Change to universal group 


Failed request for Kerberos ticket 


Domain controller failed to validate credentials 


Account password hash accessed 


System time changed 


Change to registry value 


Service install attempt 


Rule added to Windows Firewall exception 


Rule modified in Windows Firewall exception 


Windows Firewall settings change 


Change to Windows Firewall Group Policy 


Windows Firewall service stopped 


Application blocked by Windows Firewall from accepting traffic 


Windows Filtering Platform blocked a service from listening on a port 


How to Prioritize Events in USM Anywhere 

USM Anywhere collects and analyzes data on network activity, as well as your firewalls, routers, switches, servers, and applications. The USM Anywhere Sensor discovers assets, assesses vulnerabilities, detects threats, and monitors users to provide situational awareness to security analysts. 

To view the events that USM Anywhere processes, open the Events page under the Activity menu. You’ll see a comprehensive display of events being processed and the relevant metrics being collected. Default columns include the Event Name, Time Created, OTX status, Source Asset, Destination Asset, Sensor Name, and Username associated with the event. 

Add additional columns here and drill down into individual events for more detailed analysis. You can open the Configure Filters page on the upper-left corner to change the way USM Anywhere prioritizes alerts according to ten different factors: 

  • Custom Range. You can set USM Anywhere to filter events triggered in the last hour, 24 hours, 7 days, or three months by default. You can also set a custom range to find particular events. 
  • Suppressed. Suppressed events are hidden by default. You can filter to show suppressed events here. 
  • Account Name. Filter events by the individual account that generated the event. 
  • Data Source. Filter according to the data source used to normalize the event. 
  • Event Name. Filter events that share a short, user-readable description. 
  • Source Asset. Filter events by the name of the asset that produced the event. 
  • Source User. Filter events by the name of the user that caused the event. 
  • Sensor. Filter events by the name of the USM Anywhere Sensor that detected it. 
  • Asset Groups. This field filters the asset group name or names for the event source. It only corresponds to event sources and destinations that belong to asset groups. 
  • Username. Filter events by the username associated with the asset that generated the event. 


Use Custom Event Prioritization to Improve Incident Response 

The ability to customize the way your SIEM handles security events is an important strategic advantage in today’s security landscape. Castra's expertise can help you identify which event types need the highest priority ranking according to your organization’s unique risk profile.


Speak to an information security expert about improving your organization’s event prioritization framework to find out more.