6.3 Event Fields

Each event has fields that might or might not be populated, depending on the specific event. The values for these event fields can be viewed by using a search or running a report. Each field has a short name that is used in advanced searches. The values for most of these fields are visible in the detailed event view; other values are also visible in the basic event view.

Table 6-1 Event Fields

Field

Short Name

Description

Visible in Basic View

Visible in Detailed View

Severity

sev

Normalized severity of event on a scale of 0 (informational) to 5 (critical)

X

X

EventTime

dt

Time stamp of event. Can be the Identity Audit server time stamp or the time stamp from the original event source (if trust event time is enabled)

X

X

EventName

evt

Short name of the event

X

X

Message

msg

Detailed event message

 

X

ProductName

pn

Product that generated the event; the event source

Displayed after the event name.

X

X

InitUserName

sun

Username of the user who initiated the event

X

X

InitUserID

iuid

User ID of the user who initiated the event, based on the raw data reported by the device.

 

X

InitUserDomain

rv35

Domain of the user who initiated the event

Searchable but not displayed in either event view

InitHostName

shn

Hostname of the machine from which the event initiated

X

X

InitHostDomain

rv42

Domain of the machine from which the event initiated

X

X

InitIP

sip

IP address of the machine from which the event initiated

 

X

InitServicePort

spint

Port number from which the event initiated (for example, HTTP)

 

X

InitServicePortName

sp

Type of port from which the event initiated (for example, HTTP)

 

X

TargetUserName

dun

Username of the user who was the target of the event

X

X

TargetUserID

tuid

User ID of the user who was the target of the event, based on the raw data reported by the device.

 

X

TargetUserDomain

rv45

Domain of the user who was the target of the event

Searchable but not displayed in either event view

 

X

TargetHostName

dhn

Hostname of the machine that was the target of event

X

X

TargetHostDomain

rv41

Domain of the machine that was the target of event

X

X

TargetIP

dip

IP address of the machine that was the target of event

 

X

TargetServicePort

dpint

Port number that was the target of event (for example, 80)

 

X

TargetServicePortName

dp

Type of port that was the target of event (for example, HTTP)

 

X

TargetTrustName

ttn

Role of the user that was a target of the event (for example, FinanceAdmin)

Searchable but not displayed in either event view

 

TargetTrustID

ttid

Numerical ID representing the role of the user that was a target of the event

Searchable but not displayed in either event view

 

TargetTrustDomain

ttd

Domain (namespace) within which the target trust exists.

Searchable but not displayed in either event view

 

EffectiveUserName

euname

Name of the user that the InitUser is impersonating (root using su, for example); follows Initiator Username (Initiator User ID) as in the detailed event view

 

X

EffectiveUserID

euid

Numerical ID of the user that the InitUser is impersonating (root using su, for example), based on the raw data reported by the device.

 

X

ObserverHostName

sn

Hostname of the machine that forwarded the event to the security information event management system (for example, the hostname of a syslog server)

Searchable but not displayed in either event view

 

ObserverHostDomain

obsdom

Domain of the machine that forwarded the event to the security information event management system (for example, the domain of a syslog server)

Searchable but not displayed in either event view

 

ObserverIP

obsip

IP address of the machine that forwarded the event to the security information event management system (for example, the IP address of a syslog server)

Searchable but not displayed in either event view

 

ReporterHostName

rn

Hostname of the machine that reported the event to an observer

Searchable but not displayed in either event view

 

 

ReporterHostDomain

repdom

Domain of the machine that reported the event to an observer

Searchable but not displayed in either event view

 

 

ReporterIP

repip

IP address of the machine that reported the event to an observer

Searchable but not displayed in either event view

 

 

SensorType

st

The single character designator for the sensor type (N=network, H=host, O=operating system, A and I=Identity Audit auditing events, P=Identity Audit performance events)

Searchable but not displayed in either event view

 

 

DataName/Filename

fn

Data object name reported in the event (for example, the file name or database table name)

 

X

DataCotext

rv36

Container for the FileName data object (for example, a directory for a file or a database instance for a database table)

 

X

TaxonomyLevel1

rv50

Target classification for event. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

X

X

TaxonomyLevel2

rv51

Subtarget classification for the event. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

X

X

TaxonomyLevel3

rv52

Action information for the event. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

X

X

TaxonomyLevel4

rv53

Detail information for the event. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

X

X

Some fields are tokenized. Tokenizing the fields makes it possible to search for an individual word in the field without a wildcard. The fields are tokenized based on spaces and other special characters. For these fields, articles such as “a” or “the” are removed from the search index.