Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The Alarm Service provides a system for gathering and organizing info about attacks, how each alarm is mapped to technical signatures, and mapping of alarms to Argus attack categories and MITRE ATT&CK categories.
Changes to Alarms are made available as updates through the Alarm Update WebSocket.
The service also keeps track of the volume and last observation of each signature from the Event Service. 


  • Attack denotes (in the scope of the Alarm Service) the usage of a known or suspected vulnerability of an IT-system.
  • Attack Category is an arbitrary category for grouping attacks. These categories are defined in Argus, and not part of an external standard.
  • Alarm brings together the accumulated info about known attacks. This is meant to quickly help the analyst assess incoming recognized attacks. Alarms are also manually created and updated by us. An alarm can have comments, labels, references and links. Alarms can be grouped into attack categories.
  • Signature is technical attack signature, defined both by external sources and by us. It also provides info about the time when the signature was detected/triggered.
    The actual signatures for recognizing attacks are not stored in the alarm service - just the info about the attack. Signatures are not independent entities, but are the primary key of an Alarm Mapping. Signature is also referred to as attack identifier.
  • Alarm Mapping is the relationship between an alarm and selected signatures. Signatures are mapped to Alarms by a user process or through automated imports via API.  An unmapped alarm mapping means that the signature has not yet been mapped to an alarm.
  • MITRE Categoryprovides a standardized structure about various known attack tactics and techniques. It is regularly imported into alarm service from an external source ( MITRE categories can be related to other MITRE categories and they can also be associated with alarms.