Novell Home

Sentinel Taxonomy

Sentinel™ includes the concept of taxonomy for its events, that is, a classification that is intended to group events of similar type together to ease reporting and searching. Rather than use proprietary, app-specific event names (login, authenticated, logged in, etc), all events of a particular type should map to the same taxonomic classification.

Sentinel 6.1 introduced the use of the XDAS standard taxonomy (v1) as part of the Sentinel event; note that this standard is still in development but will be adopted once it is available. Older versions of Sentinel used a legacy taxonomy that tended to morph over time; the mappings are still maintained but the old taxonomy is deprecated and plans should be developed to migrate any content to use the new taxonomy over time.

There are actually several different enumerated fields in addition to the core event taxonomy:

  • Event taxonomy : Classifies the type of activity that the event describes
  • Outcome taxonomy : Classifies the type of outcome or result that was caused by the event
  • Observer taxonomy : Classifies the type of system that generated the event

If you are curious, the original XDAS standard is available from this link: The original XDAS standard document

Sentinel Event Taxonomy

Here's how to use this table:

  1. Use the descriptive rows to find an event class that appears to match the event you are currently parsing.
  2. In the taxonomy.map file, enter the taxonomy key (unique event key) to identify that event, then enter the four legacy taxonomy columns (last four columns below), then the XDASTaxonomyName.
  3. Also refer to the Outcome taxonomy and append that to the end of the taxonomy line for your event (you may need to create two or more keys for a single event by appending a result code or similar).
  4. For reporting, you can either use the XDASTaxonomyName, or use the more efficient numeric identifiers. The numerics also group sets of related events together, which is useful.
XDASTaxonomyName
XDAS
Registry
XDAS
Provider
XDAS
Class
XDAS
Identifier
Taxonomy
Level1
(Target)
Taxonomy
Level2
(SubTarget)
Taxonomy
Level3
(Action)
Taxonomy
Level4
(SubAction)
Account Management Events - This set of events is applicable to the management of principal accounts. A principal may be an end-user or a service within the system - a pseudo-user.
Create account - The creation of an account representing a principal within a domain
XDAS_AE_CREATE_ACCOUNT 0 0 0 0 SYSTEM USER CREATE
Delete account - The deletion of an account representing a principal from a domain
XDAS_AE_DELETE_ACCOUNT 0 0 0 1 SYSTEM USER DELETE
Disable account - An action that prevents a principal account from being used within a domain
XDAS_AE_DISABLE_ACCOUNT 0 0 0 2 SYSTEM USER DISABLE
Enable account - An action that permits a principal account to be used within a domain
XDAS_AE_ENABLE_ACCOUNT 0 0 0 3 SYSTEM USER ENABLE
Query account attributes - The requesting of the attributes associated with a principal within a domain
XDAS_AE_QUERY_ACCOUNT 0 0 0 4 SYSTEM USER QUERY
Modify account attributes - The modification of the attributes associated with a principal within a domain
XDAS_AE_MODIFY_ACCOUNT 0 0 0 5 SYSTEM USER MODIFY
Change account password - The modification of the account "secret" that must be presented by the user in order to authenticate
XDAS_AE_SET_CRED_ACCOUNT 0 0 0 6 SYSTEM USER CHANGE PASSWORD
Grant account access - Grant access to a resource (file, table, service, function) to an account
XDAS_AE_GRANT_ACCOUNT_ACCESS 0 0 0 7 SYSTEM USER GRANT PERMISSION
Revoke account access - Revoke access to a resource (file, table, service, function) from an account
XDAS_AE_REVOKE_ACCOUNT_ACCESS 0 0 0 8 SYSTEM USER REVOKE PERMISSION
Trust Management Events - This set of events is applicable to the management of trust relationships. A trust may be instantiated via a group, role, permission profile, or some other container that when a user is associated with it, it confers access to that user.
Create trust - The creation of a role, group, profile, or other permissions container, here referred to as a trust
XDAS_AE_CREATE_TRUST 0 0 1 0 SYSTEM TRUST CREATE
Delete trust - The deletion of a trust from a domain
XDAS_AE_DELETE_TRUST 0 0 1 1 SYSTEM TRUST DELETE
Add account to trust - An association of an account with the trust which confers trust permissions to the user
XDAS_AE_ASSOC_TRUST 0 0 1 2 SYSTEM TRUST ADD USER
Remove account from trust - Disassociation of an account with a trust
XDAS_AE_DEASSOC_TRUST 0 0 1 3 SYSTEM TRUST REMOVE USER
Query trust attributes - The requesting of the attributes associated with a trust within a domain
XDAS_AE_QUERY_TRUST 0 0 1 4 SYSTEM TRUST QUERY
Modify trust attributes - The modification of the attributes associated with a trust within a domain
XDAS_AE_MODIFY_TRUST 0 0 1 5 SYSTEM TRUST MODIFY
Grant trust access - Grant access to a resource (file, table, service, function) to a trust
XDAS_AE_GRANT_TRUST_ACCESS 0 0 1 7 SYSTEM TRUST GRANT PERMISSION
Revoke account access - Revoke access to a resource (file, table, service, function) from a trust
XDAS_AE_REVOKE_TRUST_ACCESS 0 0 1 8 SYSTEM TRUST REVOKE PERMISSION
User Session Events - This set of events is relevant to the creation and use of user sessions on the system. !
Create a user session - The establishment of a processing environment to service an end user, e.g. authentication or logging in
XDAS_AE_CREATE_SESSION 0 0 2 0 SYSTEM USER LOGIN
Terminate a user session - The dismantling of a processing environment associated with servicing an end user
XDAS_AE_TERMINATE_SESSION 0 0 2 1 SYSTEM USER LOGOUT
Query user session attributes - The requesting of the attributes associated with a user session
XDAS_AE_QUERY_SESSION 0 0 2 2 SYSTEM SESSION QUERY
Modify user session attributes - The modification of security-significant attributes of the context of a processing environment servicing an end user
XDAS_AE_MODIFY_SESSION 0 0 2 3 SYSTEM SESSION MODIFY
Authenticate user - In most cases this is part of the login process, but in some environments the authentication happens separately from the creation of the session.
XDAS_AE_AUTHENTICATE_ACCOUNT 0 0 2 4 SYSTEM USER AUTH
Privilege Escalation - This occurs when a user escalates their privilege level
XDAS_AE_PRIV_ESCALATE 0 0 2 5 SYSTEM USER PRIV ESCALATE
Data Item and Resource Element Management Events - This set of events relate to the creation and management of data items and resource elements within a domain, e.g. files and directories, device special files, shared memory segments within an operating system, tables and records within a database, messages within an email system. The type of data item or resource element is dependent upon the domain.
Create data item - Creation of a data item within a domain
XDAS_AE_CREATE_DATA_ITEM 0 0 3 0 SYSTEM DATAITEM CREATE
Delete data item - Deletion of a data item from a domain
XDAS_AE_DELETE_DATA_ITEM 0 0 3 1 SYSTEM DATAITEM DELETE
Query data item attributes - The requesting of the attributes associated with a domain data item
XDAS_AE_QUERY_DATA_ITEM_ATT 0 0 3 2 SYSTEM DATAITEM QUERY
Modify data item attributes - The modification of the security attributes of a domain data item such as access control attributes, ownership, aliases, etc.
XDAS_AE_MODIFY_DATA_ITEM_ATT 0 0 3 3 SYSTEM DATAITEM MODIFY
Service or Application Management Events - This set of events relate to the management of system services and applications.
Install service or application - The installation of additional or updated software on a system; e.g. an application or system service.
XDAS_AE_INSTALL_SERVICE 0 0 4 0 SYSTEM SERVICE INSTALL
Remove service or application - The de-installation of software on a system
XDAS_AE_REMOVE_SERVICE 0 0 4 1 SYSTEM SERVICE REMOVE
Configure service or application - The modification of the configuration data associated with a software component
XDAS_AE_MODIFY_SERVICE_CONFIG 0 0 4 2 SYSTEM SERVICE CONFIG
Query configuration of service or application - The requesting of information about the configuration of a service or application
XDAS_AE_QUERY_SERVICE_CONFIG 0 0 4 3 SYSTEM SERVICE QUERY
Disable service or application - An action that prevents an application or system service from being used; for example, inhibiting responses to service requests. It may also involve the termination (shutdown) of application processing components that are currently providing the service. !
XDAS_AE_DISABLE_SERVICE 0 0 4 4 SYSTEM SERVICE DISABLE
Enable service or application - An action that permits an application or system service to be used; for example, allowing responses to service requests. This may also involve the invocation of specific application processing components (_startup_). !
XDAS_AE_ENABLE_SERVICE 0 0 4 5 SYSTEM SERVICE ENABLE
Service and Application Utilization Events - These events relate to the use of service and applications. They typically map to the execution of a program or a procedure and manipulation of the processing environment.
Invoke service or application - The invocation of a service or application (_exec_); e.g. operating system utility, database, accounting application, etc.
XDAS_AE_INVOKE_SERVICE 0 0 5 0 SYSTEM PROCESS INVOKE
Terminate service or application component - The termination (_exit_) of the use of a service or application. This could be at the instigation of the application itself or by the intervention of the domain in response to user or administrative action. !
XDAS_AE_TERMINATE_SERVICE 0 0 5 1 SYSTEM PROCESS TERMINATE
Query processing context - The requesting of the attributes associated with the current processing environment
XDAS_AE_QUERY_PROCESS_CONTEXT 0 0 5 2 SYSTEM PROCESS QUERY
Modify processing context - The modification of the attributes associated with the current processing environment
XDAS_AE_MODIFY_PROCESS_CONTEXT 0 0 5 3 SYSTEM PROCESS MODIFY
Peer Association Management Events
Create an association with a peer - The creation of a communication channel and the processing context between system components
XDAS_AE_CREATE_PEER_ASSOC 0 0 6 0 SYSTEM PEER ASSOC
Terminate an association with a peer - The closure of a communications channel and destruction of processing context between system components
XDAS_AE_TERMINATE_PEER_ASSOC 0 0 6 1 SYSTEM PEER DEASSOC
Query an association context - The requesting of the attributes of a context associated with a communications channel between peers
XDAS_AE_QUERY_ASSOC_CONTEXT 0 0 6 2 SYSTEM PEER QUERY
Modify an association context - The modification of the attributes of a processing context associated with a communications channel
XDAS_AE_MODIFY_ASSOC_CONTEXT 0 0 6 3 SYSTEM PEER MODIFY
Receive data via an association - Receiving data from associated peer within current association context
XDAS_AE_RECEIVE_DATA_VIA_ASSOC 0 0 6 4 SYSTEM PEER RECEIVE
Send data via an association - Sending data to associated peer within current association context
XDAS_AE_SEND_DATA_VIA_ASSOC 0 0 6 5 SYSTEM PEER SEND
Data Item or Resource Element Content Access Events - These events relate to the formation of an association between a service or application and a data item or resource element for the purpose of using its contents or services; for example, a file or directory, device special file, memory segmentcommunications port, etc.
Create association with data item - Create an association with (_open_) a data item. This creates a binding between the caller and the data item.
XDAS_AE_CREATE_DATA_ITEM_ASSOC 0 0 7 0 SYSTEM DATAITEM OPEN
Terminate association with data item - The termination of an existing association with (_close_) a data item
XDAS_AE_TERMINATE_DATA_ITEM_ASSOC 0 0 7 1 SYSTEM DATAITEM CLOSE
Query context of association with data item - The requesting of the context of an association with a data item; e.g. mode of access, size limits, access path, etc
XDAS_AE_QUERY_DATA_ITEM_ASSOC_CONTEXT 0 0 7 2 SYSTEM DATAASSOC QUERY
Modify context of association with a data item - The modification of the context of an association with a data item or resource element
XDAS_AE_MODIFY_DATA_ITEM_ASSOC_CONTEXT 0 0 7 3 SYSTEM DATAASSOC MODIFY
Query data item contents - The requesting of the contents of a domain data item (_read_)
XDAS_AE_QUERY_DATA_ITEM_CONTENTS 0 0 7 4 SYSTEM DATA READ
Modify data item contents - The modification of the contents of a domain data item (_write_, _append_, etc). !
XDAS_AE_MODIFY_DATA_ITEM_CONTENTS 0 0 7 5 SYSTEM DATA WRITE
Exceptional Events - These are events that are considered to be outside the generalized events listed above !
Start system - The action of booting a system host or of changing the processing state of a system host to an operational mode
XDAS_AE_START_SYS 0 0 8 0 SYSTEM SYS START
Shutdown system - The action of halting the processing by a system host or changing the processing state of a system host to a maintenance mode
XDAS_AE_SHUTDOWN_SYS 0 0 8 1 SYSTEM SYS SHUTDOWN
Resource exhaustion - The detection of resource exhaustion which has a potential impact on system operations, perhaps based upon a configurable threshold; e.g. data storage resources, communication end points, etc !
XDAS_AE_RESOURCE_EXHAUST 0 0 8 2 SYSTEM RESOURCE EXHAUST
Resource corruption - The detection of an integrity failure of a system resource; for example, data storage resource. !
XDAS_AE_RESOURCE_CORRUPT 0 0 8 3 SYSTEM RESOURCE CORRUPTED
Backup datastore - The action of making a backup copy of a datastore for the purposes of protecting availability and integrity of the data it contains
XDAS_AE_BACKUP_DATASTORE 0 0 8 4 SYSTEM OBJECT BACKUP
Recover datastore - The action of restoring the contents of a datastore from a previously made backup copy for the purposes of restoring the availability of the contents, or the integrity of the contents, or both !
XDAS_AE_RECOVER_DATASTORE 0 0 8 5 SYSTEM OBJECT RESTORE
Scan start - Some component of the system is being scanned - use the application information to understand what type of scan is being performed. !
XDAS_AE_SCAN_START 0 0 8 6 SYSTEM OBJECT SCANSTART
Scan stop - Some component of the system was being scanned and is now stopped - use the application information to understand what type of scan was being performed. !
XDAS_AE_SCAN_STOP 0 0 8 7 SYSTEM OBJECT SCANSTOP
System Signature Update - A download of system signature, pattern, or configuration data was performed. !
XDAS_AE_CONFUPDATE 0 0 8 8 SYSTEM CONFIG UPDATE
License Validation - A validation check on the license or subscription was performed. !
XDAS_AE_LICENSE 0 0 8 9 SYSTEM CONFIG LICENSE
Audit Service Management Events - These are events of specific relevance to the audit service itself. !
Configure audit service - The modification of the parameters controlling the operation of the audit service; for example, audit event filtering criteria. !
XDAS_AE_AUD_CONFIG 0 0 9 0 SYSTEM AUDIT CONFIG
Audit datastore full - The detection of resource exhaustion for the particular instance of the resource used to store the log of audit event records
XDAS_AE_AUD_DS_FULL 0 0 9 1 SYSTEM AUDIT FULL
Audit datastore corrupted - The detection of a datastore integrity failure for the particular instance of the resource used to store the log of audit event records
XDAS_AE_AUD_DS_CORR 0 0 9 2 SYSTEM AUDIT CORRUPT
Audit service start - Start or enable auditing service
XDAS_AE_AUD_START 0 0 9 3 SYSTEM AUDIT START
Audit service stop - Stop or disable the audit service
XDAS_AE_AUD_STOP 0 0 9 4 SYSTEM AUDIT STOP
Audit datastore deleted - Delete a container of audit information such as a file or DB table
XDAS_AE_AUD_DELETE 0 0 9 5 SYSTEM AUDIT DELETE
Workflow Events - Many systems define activity workflows that are followed to perform a specific task, like incident handling, issue resolution, account provisioning, and so forth. This category of events reports on the processes occurring within the workflow.
Create workflow instance - A workflow instance was created in response to some detected condition, such as a user request or detected event. !
XDAS_AE_WF_CREATE 0 0 10 0 SYSTEM WORKFLOW CREATE
Invoke workflow task - A task within a workflow instance was invoked
XDAS_AE_WF_INVOKE 0 0 10 1 SYSTEM WORKFLOW INVOKE
Assign workflow task - A manual task within a workflow was assigned to be handled by a user or group/role
XDAS_AE_WF_ASSIGN 0 0 10 2 SYSTEM WORKFLOW ASSIGN
Terminate workflow task - A task within a workflow was terminated, either by completion, timeout, or explicit termination.
XDAS_AE_WF_FINISH 0 0 10 3 SYSTEM WORKFLOW FINISH
Attack Events - This set of events is applicable to various types of intrusion attempts that may be detected by local or remote IDS/IPS/AV software.
Information Leak Attempt - Records if an attempt is made illicitly gather information about resources in the environment
XDAS_AE_IDS_INFO 0 0 11 0 SYSTEM ATTACK INFO
Penetration Attempt - Records if a targeted penetration attempt is made against enterprise resources
XDAS_AE_IDS_PENETRATE 0 0 11 1 SYSTEM ATTACK PENETRATE
Denial of Service Attempt - Records if a Denial of Service attempt is made against enterprise resources
XDAS_AE_IDS_DOS 0 0 11 2 SYSTEM ATTACK DOS
Resource Probe Attempt - Records if various types of probes are detected against enterprise resources
XDAS_AE_IDS_PROBE 0 0 11 3 SYSTEM ATTACK PROBE
Resource Infected - Record if an AV or IDS determines that a system has been affected by a virus or similar infection.
XDAS_AE_INFECTED 0 0 11 4 SYSTEM RESOURCE INFECTED
Resource Cleaned - Record if an AV or IDS determines that a system has been cleaned by antivirus.
XDAS_AE_CLEANED 0 0 11 .5 SYSTEM RESOURCE CLEANED
Resource Quarantine - Record if an AV or IDS determines that a system has been Quarantine by antivirus.
XDAS_AE_QUARANTINED 0 0 11 6 SYSTEM RESOURCE QUARANTINED
Evasion - Record if an Evasion attack is detected by an IDS
XDAS_AE_IDS_EVASION 0 0 11 7 SYSTEM ATTACK EVASION
Suspicious Activity - Record if an suspicious activity is detected by an IDS
XDAS_AE_IDS_SUSPICIOUS 0 0 11 8 SYSTEM ATTACK SUSPICIOUS
Evasion - Record if spam or phishing content is detected in an e-mail
XDAS_AE_SPAM 0 0 11 9 SYSTEM RESOURCE SPAM
Evasion - Record if a system is detected to have been infected by a virus.
XDAS_AE_INFECTED_VIRUS 0 0 11 10 SYSTEM RESOURCE VIRUS
Evasion - Record if a system is detected to have been infected by a worm.
XDAS_AE_INFECTED_WORM 0 0 11 11 SYSTEM RESOURCE WORM
Evasion - Record if a system is detected to have been infected by a trojan.
XDAS_AE_INFECTED_TROJAN 0 0 11 12 SYSTEM RESOURCE TROJAN


Sentinel Outcome Taxonomy

XDAS Outcome Name Outcome Detail
XDAS_OUT_SUCCESS 0 0
XDAS_OUT_PRIV_USED 0 1
XDAS_OUT_PRIV_GRANTED 0 2
XDAS_OUT_PRIV_REVOKED 0 3
XDAS_OUT_PRESELECT_CRITERIA_SET 0 4
XDAS_OUT_THRESHOLDS_SET 0 5
XDAS_OUT_ACTIONS_SET 0 6
XDAS_OUT_FAILURE 1 0
XDAS_OUT_SERVICE_UNAVAILABLE 1 1
XDAS_OUT_SERVICE_FAILURE 1 2
XDAS_OUT_HARDWARE_FAILURE 1 3
XDAS_OUT_LOST_ASSOCIATION 1 4
XDAS_OUT_ALREADY_DISABLED 1 5
XDAS_OUT_SERVICE_ERROR 1 6
XDAS_OUT_BUSY 1 7
XDAS_OUT_DISABLED 1 8
XDAS_OUT_INVALID_INPUT 1 9
XDAS_OUT_ENTITY_EXISTS 1 10
XDAS_OUT_ENTITY_NON-EXISTENT 1 11
XDAS_OUT_THRESHOLD_EXCEEDED 1 12
XDAS_OUT_DENIAL 2 0
XDAS_OUT_INSUFFICIENT_PRIVILEGE 2 1
XDAS_OUT_INVALID_IDENTITY 2 2
XDAS_OUT_INVALID_USER_CREDENTIALS 2 3
XDAS_OUT_INSUFFICIENT_INPUT 2 4
XDAS_OUT_POLICY_VIOLATION 2 5
XDAS_OUT_EXPIRED 2 6
XDAS_OUT_UNKNOWN 3 0


Sentinel Observer Taxonomy

Abbr Long Name
Operating System OS
Database DB
Network Firewall FW
Host-based Firewall HFW
Intrusion Detection/Prevention System IDS
Antivirus AV
Antispam AS
Vulnerability Scanner VULN
Network Router/Switch NETD
Network Management (DNS/DHCP/etc) NETM
Identity Management IDM
Proxy PROX
Virtual Private Network VPN
Cloud Access Provider CAP
Incident Management INCM
Configuration Management CM
Change Management CHA
File Integrity Monitoring FIM
E-Mail System EML
Web and/or Application Server WEB
Data Loss Prevention DLP
Financial Application FIN
HR Application HR
Business Management BM
Storage STO
Network User Behavior Analysis NUBA
Security Event Management SIEM
General application or service not in other tr APP
Event source not in other tr O


Sentinel License Types

Type Description
I Single server operating system, database, security or network device (e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), routers, switches, etc.). Devices or software that send their vent logs to a management console/device/software or syslog server are counted by the number of primary source devices from which the logs originate.
II Applications or operating systems on individual desktop computers (e.g., virus scanning per desktop) or hand-held or portable devices.
III Vulnerability Scanners, such as eEye Retina or Nessus.
IV Non-security enterprise applications (e.g., enterprise resource planning (ERP) software, email, application delivery, etc.), log management appliances or software, but does not include syslog servers. Additionally a Type IV Device includes any other device that doesn't qualify as a Type I, Type II, Type III or Type V Device.
V Mainframe security logical partitions (LPARs) to be monitored (e.g., RACF, TopSecret and ACF2) and mid-range servers (e.g., AS400 or HP NonStop).

Return to Develop to Sentinel

© 2014 Novell