Sentinel Taxonomy
Sentinel™ includes the concept of taxonomy for its events, that is, a classification that is intended to group events of similar type together to ease reporting and searching. Rather than use proprietary, app-specific event names (login, authenticated, logged in, etc), all events of a particular type should map to the same taxonomic classification.
Sentinel 6.1 introduced the use of the XDAS standard taxonomy (v1) as part of the Sentinel event; note that this standard is still in development but will be adopted once it is available. Older versions of Sentinel used a legacy taxonomy that tended to morph over time; the mappings are still maintained but the old taxonomy is deprecated and plans should be developed to migrate any content to use the new taxonomy over time.
There are actually several different enumerated fields in addition to the core event taxonomy:
- Event taxonomy : Classifies the type of activity that the event describes
- Outcome taxonomy : Classifies the type of outcome or result that was caused by the event
- Observer taxonomy : Classifies the type of system that generated the event
If you are curious, the original XDAS standard is available from this link: The original XDAS standard document
Sentinel Event Taxonomy
Here's how to use this table:
- Use the descriptive rows to find an event class that appears to match the event you are currently parsing.
- In the taxonomy.map file, enter the taxonomy key (unique event key) to identify that event, then enter the four legacy taxonomy columns (last four columns below), then the XDASTaxonomyName.
- Also refer to the Outcome taxonomy and append that to the end of the taxonomy line for your event (you may need to create two or more keys for a single event by appending a result code or similar).
- For reporting, you can either use the XDASTaxonomyName, or use the more efficient numeric identifiers. The numerics also group sets of related events together, which is useful.
| XDASTaxonomyName | XDAS Registry |
XDAS Provider |
XDAS Class |
XDAS Identifier |
Taxonomy Level1 (Target) |
Taxonomy Level2 (SubTarget) |
Taxonomy Level3 (Action) |
Taxonomy Level4 (SubAction) |
|---|---|---|---|---|---|---|---|---|
| Account Management Events - This set of events is applicable to the management of principal accounts. A principal may be an end-user or a service within the system - a pseudo-user. | ||||||||
| Create account - The creation of an account representing a principal within a domain | ||||||||
| XDAS_AE_CREATE_ACCOUNT | 0 | 0 | 0 | 0 | SYSTEM | USER | CREATE | |
| Delete account - The deletion of an account representing a principal from a domain | ||||||||
| XDAS_AE_DELETE_ACCOUNT | 0 | 0 | 0 | 1 | SYSTEM | USER | DELETE | |
| Disable account - An action that prevents a principal account from being used within a domain | ||||||||
| XDAS_AE_DISABLE_ACCOUNT | 0 | 0 | 0 | 2 | SYSTEM | USER | DISABLE | |
| Enable account - An action that permits a principal account to be used within a domain | ||||||||
| XDAS_AE_ENABLE_ACCOUNT | 0 | 0 | 0 | 3 | SYSTEM | USER | ENABLE | |
| Query account attributes - The requesting of the attributes associated with a principal within a domain | ||||||||
| XDAS_AE_QUERY_ACCOUNT | 0 | 0 | 0 | 4 | SYSTEM | USER | QUERY | |
| Modify account attributes - The modification of the attributes associated with a principal within a domain | ||||||||
| XDAS_AE_MODIFY_ACCOUNT | 0 | 0 | 0 | 5 | SYSTEM | USER | MODIFY | |
| Change account password - The modification of the account "secret" that must be presented by the user in order to authenticate | ||||||||
| XDAS_AE_SET_CRED_ACCOUNT | 0 | 0 | 0 | 6 | SYSTEM | USER | CHANGE PASSWORD | |
| Grant account access - Grant access to a resource (file, table, service, function) to an account | ||||||||
| XDAS_AE_GRANT_ACCOUNT_ACCESS | 0 | 0 | 0 | 7 | SYSTEM | USER | GRANT PERMISSION | |
| Revoke account access - Revoke access to a resource (file, table, service, function) from an account | ||||||||
| XDAS_AE_REVOKE_ACCOUNT_ACCESS | 0 | 0 | 0 | 8 | SYSTEM | USER | REVOKE PERMISSION | |
| Trust Management Events - This set of events is applicable to the management of trust relationships. A trust may be instantiated via a group, role, permission profile, or some other container that when a user is associated with it, it confers access to that user. | ||||||||
| Create trust - The creation of a role, group, profile, or other permissions container, here referred to as a trust | ||||||||
| XDAS_AE_CREATE_TRUST | 0 | 0 | 1 | 0 | SYSTEM | TRUST | CREATE | |
| Delete trust - The deletion of a trust from a domain | ||||||||
| XDAS_AE_DELETE_TRUST | 0 | 0 | 1 | 1 | SYSTEM | TRUST | DELETE | |
| Add account to trust - An association of an account with the trust which confers trust permissions to the user | ||||||||
| XDAS_AE_ASSOC_TRUST | 0 | 0 | 1 | 2 | SYSTEM | TRUST | ADD USER | |
| Remove account from trust - Disassociation of an account with a trust | ||||||||
| XDAS_AE_DEASSOC_TRUST | 0 | 0 | 1 | 3 | SYSTEM | TRUST | REMOVE USER | |
| Query trust attributes - The requesting of the attributes associated with a trust within a domain | ||||||||
| XDAS_AE_QUERY_TRUST | 0 | 0 | 1 | 4 | SYSTEM | TRUST | QUERY | |
| Modify trust attributes - The modification of the attributes associated with a trust within a domain | ||||||||
| XDAS_AE_MODIFY_TRUST | 0 | 0 | 1 | 5 | SYSTEM | TRUST | MODIFY | |
| Grant trust access - Grant access to a resource (file, table, service, function) to a trust | ||||||||
| XDAS_AE_GRANT_TRUST_ACCESS | 0 | 0 | 1 | 7 | SYSTEM | TRUST | GRANT PERMISSION | |
| Revoke account access - Revoke access to a resource (file, table, service, function) from a trust | ||||||||
| XDAS_AE_REVOKE_TRUST_ACCESS | 0 | 0 | 1 | 8 | SYSTEM | TRUST | REVOKE PERMISSION | |
| User Session Events - This set of events is relevant to the creation and use of user sessions on the system. ! | ||||||||
| Create a user session - The establishment of a processing environment to service an end user, e.g. authentication or logging in | ||||||||
| XDAS_AE_CREATE_SESSION | 0 | 0 | 2 | 0 | SYSTEM | USER | LOGIN | |
| Terminate a user session - The dismantling of a processing environment associated with servicing an end user | ||||||||
| XDAS_AE_TERMINATE_SESSION | 0 | 0 | 2 | 1 | SYSTEM | USER | LOGOUT | |
| Query user session attributes - The requesting of the attributes associated with a user session | ||||||||
| XDAS_AE_QUERY_SESSION | 0 | 0 | 2 | 2 | SYSTEM | SESSION | QUERY | |
| Modify user session attributes - The modification of security-significant attributes of the context of a processing environment servicing an end user | ||||||||
| XDAS_AE_MODIFY_SESSION | 0 | 0 | 2 | 3 | SYSTEM | SESSION | MODIFY | |
| Authenticate user - In most cases this is part of the login process, but in some environments the authentication happens separately from the creation of the session. | ||||||||
| XDAS_AE_AUTHENTICATE_ACCOUNT | 0 | 0 | 2 | 4 | SYSTEM | USER | AUTH | |
| Privilege Escalation - This occurs when a user escalates their privilege level | ||||||||
| XDAS_AE_PRIV_ESCALATE | 0 | 0 | 2 | 5 | SYSTEM | USER | PRIV ESCALATE | |
| Data Item and Resource Element Management Events - This set of events relate to the creation and management of data items and resource elements within a domain, e.g. files and directories, device special files, shared memory segments within an operating system, tables and records within a database, messages within an email system. The type of data item or resource element is dependent upon the domain. | ||||||||
| Create data item - Creation of a data item within a domain | ||||||||
| XDAS_AE_CREATE_DATA_ITEM | 0 | 0 | 3 | 0 | SYSTEM | DATAITEM | CREATE | |
| Delete data item - Deletion of a data item from a domain | ||||||||
| XDAS_AE_DELETE_DATA_ITEM | 0 | 0 | 3 | 1 | SYSTEM | DATAITEM | DELETE | |
| Query data item attributes - The requesting of the attributes associated with a domain data item | ||||||||
| XDAS_AE_QUERY_DATA_ITEM_ATT | 0 | 0 | 3 | 2 | SYSTEM | DATAITEM | QUERY | |
| Modify data item attributes - The modification of the security attributes of a domain data item such as access control attributes, ownership, aliases, etc. | ||||||||
| XDAS_AE_MODIFY_DATA_ITEM_ATT | 0 | 0 | 3 | 3 | SYSTEM | DATAITEM | MODIFY | |
| Service or Application Management Events - This set of events relate to the management of system services and applications. | ||||||||
| Install service or application - The installation of additional or updated software on a system; e.g. an application or system service. | ||||||||
| XDAS_AE_INSTALL_SERVICE | 0 | 0 | 4 | 0 | SYSTEM | SERVICE | INSTALL | |
| Remove service or application - The de-installation of software on a system | ||||||||
| XDAS_AE_REMOVE_SERVICE | 0 | 0 | 4 | 1 | SYSTEM | SERVICE | REMOVE | |
| Configure service or application - The modification of the configuration data associated with a software component | ||||||||
| XDAS_AE_MODIFY_SERVICE_CONFIG | 0 | 0 | 4 | 2 | SYSTEM | SERVICE | CONFIG | |
| Query configuration of service or application - The requesting of information about the configuration of a service or application | ||||||||
| XDAS_AE_QUERY_SERVICE_CONFIG | 0 | 0 | 4 | 3 | SYSTEM | SERVICE | QUERY | |
| Disable service or application - An action that prevents an application or system service from being used; for example, inhibiting responses to service requests. It may also involve the termination (shutdown) of application processing components that are currently providing the service. ! | ||||||||
| XDAS_AE_DISABLE_SERVICE | 0 | 0 | 4 | 4 | SYSTEM | SERVICE | DISABLE | |
| Enable service or application - An action that permits an application or system service to be used; for example, allowing responses to service requests. This may also involve the invocation of specific application processing components (_startup_). ! | ||||||||
| XDAS_AE_ENABLE_SERVICE | 0 | 0 | 4 | 5 | SYSTEM | SERVICE | ENABLE | |
| Service and Application Utilization Events - These events relate to the use of service and applications. They typically map to the execution of a program or a procedure and manipulation of the processing environment. | ||||||||
| Invoke service or application - The invocation of a service or application (_exec_); e.g. operating system utility, database, accounting application, etc. | ||||||||
| XDAS_AE_INVOKE_SERVICE | 0 | 0 | 5 | 0 | SYSTEM | PROCESS | INVOKE | |
| Terminate service or application component - The termination (_exit_) of the use of a service or application. This could be at the instigation of the application itself or by the intervention of the domain in response to user or administrative action. ! | ||||||||
| XDAS_AE_TERMINATE_SERVICE | 0 | 0 | 5 | 1 | SYSTEM | PROCESS | TERMINATE | |
| Query processing context - The requesting of the attributes associated with the current processing environment | ||||||||
| XDAS_AE_QUERY_PROCESS_CONTEXT | 0 | 0 | 5 | 2 | SYSTEM | PROCESS | QUERY | |
| Modify processing context - The modification of the attributes associated with the current processing environment | ||||||||
| XDAS_AE_MODIFY_PROCESS_CONTEXT | 0 | 0 | 5 | 3 | SYSTEM | PROCESS | MODIFY | |
| Peer Association Management Events | ||||||||
| Create an association with a peer - The creation of a communication channel and the processing context between system components | ||||||||
| XDAS_AE_CREATE_PEER_ASSOC | 0 | 0 | 6 | 0 | SYSTEM | PEER | ASSOC | |
| Terminate an association with a peer - The closure of a communications channel and destruction of processing context between system components | ||||||||
| XDAS_AE_TERMINATE_PEER_ASSOC | 0 | 0 | 6 | 1 | SYSTEM | PEER | DEASSOC | |
| Query an association context - The requesting of the attributes of a context associated with a communications channel between peers | ||||||||
| XDAS_AE_QUERY_ASSOC_CONTEXT | 0 | 0 | 6 | 2 | SYSTEM | PEER | QUERY | |
| Modify an association context - The modification of the attributes of a processing context associated with a communications channel | ||||||||
| XDAS_AE_MODIFY_ASSOC_CONTEXT | 0 | 0 | 6 | 3 | SYSTEM | PEER | MODIFY | |
| Receive data via an association - Receiving data from associated peer within current association context | ||||||||
| XDAS_AE_RECEIVE_DATA_VIA_ASSOC | 0 | 0 | 6 | 4 | SYSTEM | PEER | RECEIVE | |
| Send data via an association - Sending data to associated peer within current association context | ||||||||
| XDAS_AE_SEND_DATA_VIA_ASSOC | 0 | 0 | 6 | 5 | SYSTEM | PEER | SEND | |
| Data Item or Resource Element Content Access Events - These events relate to the formation of an association between a service or application and a data item or resource element for the purpose of using its contents or services; for example, a file or directory, device special file, memory segmentcommunications port, etc. | ||||||||
| Create association with data item - Create an association with (_open_) a data item. This creates a binding between the caller and the data item. | ||||||||
| XDAS_AE_CREATE_DATA_ITEM_ASSOC | 0 | 0 | 7 | 0 | SYSTEM | DATAITEM | OPEN | |
| Terminate association with data item - The termination of an existing association with (_close_) a data item | ||||||||
| XDAS_AE_TERMINATE_DATA_ITEM_ASSOC | 0 | 0 | 7 | 1 | SYSTEM | DATAITEM | CLOSE | |
| Query context of association with data item - The requesting of the context of an association with a data item; e.g. mode of access, size limits, access path, etc | ||||||||
| XDAS_AE_QUERY_DATA_ITEM_ASSOC_CONTEXT | 0 | 0 | 7 | 2 | SYSTEM | DATAASSOC | QUERY | |
| Modify context of association with a data item - The modification of the context of an association with a data item or resource element | ||||||||
| XDAS_AE_MODIFY_DATA_ITEM_ASSOC_CONTEXT | 0 | 0 | 7 | 3 | SYSTEM | DATAASSOC | MODIFY | |
| Query data item contents - The requesting of the contents of a domain data item (_read_) | ||||||||
| XDAS_AE_QUERY_DATA_ITEM_CONTENTS | 0 | 0 | 7 | 4 | SYSTEM | DATA | READ | |
| Modify data item contents - The modification of the contents of a domain data item (_write_, _append_, etc). ! | ||||||||
| XDAS_AE_MODIFY_DATA_ITEM_CONTENTS | 0 | 0 | 7 | 5 | SYSTEM | DATA | WRITE | |
| Exceptional Events - These are events that are considered to be outside the generalized events listed above ! | ||||||||
| Start system - The action of booting a system host or of changing the processing state of a system host to an operational mode | ||||||||
| XDAS_AE_START_SYS | 0 | 0 | 8 | 0 | SYSTEM | SYS | START | |
| Shutdown system - The action of halting the processing by a system host or changing the processing state of a system host to a maintenance mode | ||||||||
| XDAS_AE_SHUTDOWN_SYS | 0 | 0 | 8 | 1 | SYSTEM | SYS | SHUTDOWN | |
| Resource exhaustion - The detection of resource exhaustion which has a potential impact on system operations, perhaps based upon a configurable threshold; e.g. data storage resources, communication end points, etc ! | ||||||||
| XDAS_AE_RESOURCE_EXHAUST | 0 | 0 | 8 | 2 | SYSTEM | RESOURCE | EXHAUST | |
| Resource corruption - The detection of an integrity failure of a system resource; for example, data storage resource. ! | ||||||||
| XDAS_AE_RESOURCE_CORRUPT | 0 | 0 | 8 | 3 | SYSTEM | RESOURCE | CORRUPTED | |
| Backup datastore - The action of making a backup copy of a datastore for the purposes of protecting availability and integrity of the data it contains | ||||||||
| XDAS_AE_BACKUP_DATASTORE | 0 | 0 | 8 | 4 | SYSTEM | OBJECT | BACKUP | |
| Recover datastore - The action of restoring the contents of a datastore from a previously made backup copy for the purposes of restoring the availability of the contents, or the integrity of the contents, or both ! | ||||||||
| XDAS_AE_RECOVER_DATASTORE | 0 | 0 | 8 | 5 | SYSTEM | OBJECT | RESTORE | |
| Scan start - Some component of the system is being scanned - use the application information to understand what type of scan is being performed. ! | ||||||||
| XDAS_AE_SCAN_START | 0 | 0 | 8 | 6 | SYSTEM | OBJECT | SCANSTART | |
| Scan stop - Some component of the system was being scanned and is now stopped - use the application information to understand what type of scan was being performed. ! | ||||||||
| XDAS_AE_SCAN_STOP | 0 | 0 | 8 | 7 | SYSTEM | OBJECT | SCANSTOP | |
| System Signature Update - A download of system signature, pattern, or configuration data was performed. ! | ||||||||
| XDAS_AE_CONFUPDATE | 0 | 0 | 8 | 8 | SYSTEM | CONFIG | UPDATE | |
| License Validation - A validation check on the license or subscription was performed. ! | ||||||||
| XDAS_AE_LICENSE | 0 | 0 | 8 | 9 | SYSTEM | CONFIG | LICENSE | |
| Audit Service Management Events - These are events of specific relevance to the audit service itself. ! | ||||||||
| Configure audit service - The modification of the parameters controlling the operation of the audit service; for example, audit event filtering criteria. ! | ||||||||
| XDAS_AE_AUD_CONFIG | 0 | 0 | 9 | 0 | SYSTEM | AUDIT | CONFIG | |
| Audit datastore full - The detection of resource exhaustion for the particular instance of the resource used to store the log of audit event records | ||||||||
| XDAS_AE_AUD_DS_FULL | 0 | 0 | 9 | 1 | SYSTEM | AUDIT | FULL | |
| Audit datastore corrupted - The detection of a datastore integrity failure for the particular instance of the resource used to store the log of audit event records | ||||||||
| XDAS_AE_AUD_DS_CORR | 0 | 0 | 9 | 2 | SYSTEM | AUDIT | CORRUPT | |
| Audit service start - Start or enable auditing service | ||||||||
| XDAS_AE_AUD_START | 0 | 0 | 9 | 3 | SYSTEM | AUDIT | START | |
| Audit service stop - Stop or disable the audit service | ||||||||
| XDAS_AE_AUD_STOP | 0 | 0 | 9 | 4 | SYSTEM | AUDIT | STOP | |
| Audit datastore deleted - Delete a container of audit information such as a file or DB table | ||||||||
| XDAS_AE_AUD_DELETE | 0 | 0 | 9 | 5 | SYSTEM | AUDIT | DELETE | |
| Workflow Events - Many systems define activity workflows that are followed to perform a specific task, like incident handling, issue resolution, account provisioning, and so forth. This category of events reports on the processes occurring within the workflow. | ||||||||
| Create workflow instance - A workflow instance was created in response to some detected condition, such as a user request or detected event. ! | ||||||||
| XDAS_AE_WF_CREATE | 0 | 0 | 10 | 0 | SYSTEM | WORKFLOW | CREATE | |
| Invoke workflow task - A task within a workflow instance was invoked | ||||||||
| XDAS_AE_WF_INVOKE | 0 | 0 | 10 | 1 | SYSTEM | WORKFLOW | INVOKE | |
| Assign workflow task - A manual task within a workflow was assigned to be handled by a user or group/role | ||||||||
| XDAS_AE_WF_ASSIGN | 0 | 0 | 10 | 2 | SYSTEM | WORKFLOW | ASSIGN | |
| Terminate workflow task - A task within a workflow was terminated, either by completion, timeout, or explicit termination. | ||||||||
| XDAS_AE_WF_FINISH | 0 | 0 | 10 | 3 | SYSTEM | WORKFLOW | FINISH | |
| Attack Events - This set of events is applicable to various types of intrusion attempts that may be detected by local or remote IDS/IPS/AV software. | ||||||||
| Information Leak Attempt - Records if an attempt is made illicitly gather information about resources in the environment | ||||||||
| XDAS_AE_IDS_INFO | 0 | 0 | 11 | 0 | SYSTEM | ATTACK | INFO | |
| Penetration Attempt - Records if a targeted penetration attempt is made against enterprise resources | ||||||||
| XDAS_AE_IDS_PENETRATE | 0 | 0 | 11 | 1 | SYSTEM | ATTACK | PENETRATE | |
| Denial of Service Attempt - Records if a Denial of Service attempt is made against enterprise resources | ||||||||
| XDAS_AE_IDS_DOS | 0 | 0 | 11 | 2 | SYSTEM | ATTACK | DOS | |
| Resource Probe Attempt - Records if various types of probes are detected against enterprise resources | ||||||||
| XDAS_AE_IDS_PROBE | 0 | 0 | 11 | 3 | SYSTEM | ATTACK | PROBE | |
| Resource Infected - Record if an AV or IDS determines that a system has been affected by a virus or similar infection. | ||||||||
| XDAS_AE_INFECTED | 0 | 0 | 11 | 4 | SYSTEM | RESOURCE | INFECTED | |
| Resource Cleaned - Record if an AV or IDS determines that a system has been cleaned by antivirus. | ||||||||
| XDAS_AE_CLEANED | 0 | 0 | 11 | .5 | SYSTEM | RESOURCE | CLEANED | |
| Resource Quarantine - Record if an AV or IDS determines that a system has been Quarantine by antivirus. | ||||||||
| XDAS_AE_QUARANTINED | 0 | 0 | 11 | 6 | SYSTEM | RESOURCE | QUARANTINED | |
| Evasion - Record if an Evasion attack is detected by an IDS | ||||||||
| XDAS_AE_IDS_EVASION | 0 | 0 | 11 | 7 | SYSTEM | ATTACK | EVASION | |
| Suspicious Activity - Record if an suspicious activity is detected by an IDS | ||||||||
| XDAS_AE_IDS_SUSPICIOUS | 0 | 0 | 11 | 8 | SYSTEM | ATTACK | SUSPICIOUS | |
| Evasion - Record if spam or phishing content is detected in an e-mail | ||||||||
| XDAS_AE_SPAM | 0 | 0 | 11 | 9 | SYSTEM | RESOURCE | SPAM | |
| Evasion - Record if a system is detected to have been infected by a virus. | ||||||||
| XDAS_AE_INFECTED_VIRUS | 0 | 0 | 11 | 10 | SYSTEM | RESOURCE | VIRUS | |
| Evasion - Record if a system is detected to have been infected by a worm. | ||||||||
| XDAS_AE_INFECTED_WORM | 0 | 0 | 11 | 11 | SYSTEM | RESOURCE | WORM | |
| Evasion - Record if a system is detected to have been infected by a trojan. | ||||||||
| XDAS_AE_INFECTED_TROJAN | 0 | 0 | 11 | 12 | SYSTEM | RESOURCE | TROJAN | |
Sentinel Outcome Taxonomy
| XDAS Outcome Name | Outcome | Detail |
|---|---|---|
| XDAS_OUT_SUCCESS | 0 | 0 |
| XDAS_OUT_PRIV_USED | 0 | 1 |
| XDAS_OUT_PRIV_GRANTED | 0 | 2 |
| XDAS_OUT_PRIV_REVOKED | 0 | 3 |
| XDAS_OUT_PRESELECT_CRITERIA_SET | 0 | 4 |
| XDAS_OUT_THRESHOLDS_SET | 0 | 5 |
| XDAS_OUT_ACTIONS_SET | 0 | 6 |
| XDAS_OUT_FAILURE | 1 | 0 |
| XDAS_OUT_SERVICE_UNAVAILABLE | 1 | 1 |
| XDAS_OUT_SERVICE_FAILURE | 1 | 2 |
| XDAS_OUT_HARDWARE_FAILURE | 1 | 3 |
| XDAS_OUT_LOST_ASSOCIATION | 1 | 4 |
| XDAS_OUT_ALREADY_DISABLED | 1 | 5 |
| XDAS_OUT_SERVICE_ERROR | 1 | 6 |
| XDAS_OUT_BUSY | 1 | 7 |
| XDAS_OUT_DISABLED | 1 | 8 |
| XDAS_OUT_INVALID_INPUT | 1 | 9 |
| XDAS_OUT_ENTITY_EXISTS | 1 | 10 |
| XDAS_OUT_ENTITY_NON-EXISTENT | 1 | 11 |
| XDAS_OUT_THRESHOLD_EXCEEDED | 1 | 12 |
| XDAS_OUT_DENIAL | 2 | 0 |
| XDAS_OUT_INSUFFICIENT_PRIVILEGE | 2 | 1 |
| XDAS_OUT_INVALID_IDENTITY | 2 | 2 |
| XDAS_OUT_INVALID_USER_CREDENTIALS | 2 | 3 |
| XDAS_OUT_INSUFFICIENT_INPUT | 2 | 4 |
| XDAS_OUT_POLICY_VIOLATION | 2 | 5 |
| XDAS_OUT_EXPIRED | 2 | 6 |
| XDAS_OUT_UNKNOWN | 3 | 0 |
Sentinel Observer Taxonomy
| Long Name | Abbr |
|---|---|
| Operating System | OS |
| Database | DB |
| Network Firewall | FW |
| Host-based Firewall | HFW |
| Intrusion Detection/Prevention System | IDS |
| Antivirus | AV |
| Antispam | AS |
| Vulnerability Scanner | VULN |
| Network Router/Switch | NETD |
| Network Management (DNS/DHCP/etc) | NETM |
| Identity Management | IDM |
| Proxy | PROX |
| Virtual Private Network | VPN |
| Cloud Access Provider | CAP |
| Incident Management | INCM |
| Configuration Management | CM |
| Change Management | CHA |
| File Integrity Monitoring | FIM |
| E-Mail System | EML |
| Web and/or Application Server | WEB |
| Data Loss Prevention | DLP |
| Financial Application | FIN |
| HR Application | HR |
| Business Management | BM |
| Storage | STO |
| Network User Behavior Analysis | NUBA |
| Security Event Management | SIEM |
| General application or service not in other tr | APP |
| Event source not in other tr | O |
| NetFlow | NETFLOW |
Sentinel License Types
| Type | Description |
|---|---|
| I | Single server operating system, database, security or network device (e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), routers, switches, etc.). Devices or software that send their vent logs to a management console/device/software or syslog server are counted by the number of primary source devices from which the logs originate. |
| II | Applications or operating systems on individual desktop computers (e.g., virus scanning per desktop) or hand-held or portable devices. |
| III | Vulnerability Scanners, such as eEye Retina or Nessus. |
| IV | Non-security enterprise applications (e.g., enterprise resource planning (ERP) software, email, application delivery, etc.), log management appliances or software, but does not include syslog servers. Additionally a Type IV Device includes any other device that doesn't qualify as a Type I, Type II, Type III or Type V Device. |
| V | Mainframe security logical partitions (LPARs) to be monitored (e.g., RACF, TopSecret and ACF2) and mid-range servers (e.g., AS400 or HP NonStop). |
Return to Develop to Sentinel