Severity |
sev |
Normalized severity of event on a scale of 0 (informational) to 5 (critical) |
X |
X |
EventTime |
dt
|
Time stamp of event. Can be the Identity Audit server time stamp or the time stamp from the original event source (if is enabled) |
X |
X |
EventName |
evt |
Short name of the event |
X |
X |
Message |
msg |
Detailed event message |
|
X |
ProductName |
pn |
Product that generated the event; the event source
Displayed after the event name. |
X |
X |
InitUserName |
sun |
Username of the user who initiated the event |
X |
X |
InitUserID |
iuid |
User ID of the user who initiated the event, based on the raw data reported by the device. |
|
X |
InitUserDomain |
rv35 |
Domain of the user who initiated the event
Searchable but not displayed in either event view |
|
|
InitHostName |
shn |
Hostname of the machine from which the event initiated |
X |
X |
InitHostDomain |
rv42 |
Domain of the machine from which the event initiated |
X |
X |
InitIP |
sip |
IP address of the machine from which the event initiated |
|
X |
InitServicePort |
spint |
Port number from which the event initiated (for example, HTTP) |
|
X |
InitServicePortName |
sp |
Type of port from which the event initiated (for example, HTTP) |
|
X |
TargetUserName |
dun |
Username of the user who was the target of the event |
X |
X |
TargetUserID |
tuid |
User ID of the user who was the target of the event, based on the raw data reported by the device. |
|
X |
TargetUserDomain |
rv45 |
Domain of the user who was the target of the event
Searchable but not displayed in either event view |
|
X |
TargetHostName |
dhn |
Hostname of the machine that was the target of event |
X |
X |
TargetHostDomain |
rv41 |
Domain of the machine that was the target of event |
X |
X |
TargetIP |
dip |
IP address of the machine that was the target of event |
|
X |
TargetServicePort |
dpint |
Port number that was the target of event (for example, 80) |
|
X |
TargetServicePortName |
dp |
Type of port that was the target of event (for example, HTTP) |
|
X |
TargetTrustName |
ttn |
Role of the user that was a target of the event (for example, FinanceAdmin)
Searchable but not displayed in either event view |
|
|
TargetTrustID |
ttid |
Numerical ID representing the role of the user that was a target of the event
Searchable but not displayed in either event view |
|
|
TargetTrustDomain |
ttd |
Domain (namespace) within which the target trust exists.
Searchable but not displayed in either event view |
|
|
EffectiveUserName |
euname |
Name of the user that the InitUser is impersonating (root using su, for example); follows Initiator Username (Initiator User ID) in the detailed event view |
|
X |
EffectiveUserID |
euid |
Numerical ID of the user that the InitUser is impersonating (root using su, for example), based on the raw data reported by the device. |
|
X |
ObserverHostName |
sn |
Hostname of the machine that forwarded the event to the security information event management system (for example, the hostname of a syslog server)
Searchable but not displayed in either event view |
|
|
ObserverHostDomain |
obsdom |
Domain of the machine that forwarded the event to the security information event management system (for example, the domain of a syslog server)
Searchable but not displayed in either event view |
|
|
ObserverIP |
obsip |
IP address of the machine that forwarded the event to the security information event management system (for example, the IP address of a syslog server)
Searchable but not displayed in either event view |
|
|
ReporterHostName |
rn |
Hostname of the machine that reported the event to an observer
Searchable but not displayed in either event view |
|
|
ReporterHostDomain |
repdom |
Domain of the machine that reported the event to an observer
Searchable but not displayed in either event view |
|
|
ReporterIP |
repip |
IP address of the machine that reported the event to an observer
Searchable but not displayed in either event view |
|
|
SensorType |
st |
The single character designator for the sensor type (N=network, H=host, O=operating system, A and I=Identity Audit auditing events, P=Identity Audit performance events)
Searchable but not displayed in either event view |
|
|
DataName/Filename |
fn |
Data object name reported in the event (for example, the file name or database table name) |
|
X |
DataCotext |
rv36 |
Container for the FileName data object (for example, a directory for a file or a database instance for a database table) |
|
X |
TaxonomyLevel1 |
rv50 |
Target classification for event. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
X |
X |
TaxonomyLevel2 |
rv51 |
Subtarget classification for the event. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
X |
X |
TaxonomyLevel3 |
rv52 |
Action information for the event. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
X |
X |
TaxonomyLevel4 |
rv53 |
Detail information for the event. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
X |
X |