|
BeginTime |
bgnt |
The date and time the event started occurring. |
|
|
|
|
Collector |
port |
Name of the Collector that generated this event. |
|
|
|
|
CollectorId |
rv22 |
Unique identifier for the Collector which generated this event. |
|
|
|
|
CollectorManagerId |
rv21 |
Unique identifier for the Collector Manager which generated this event. |
|
|
|
|
CollectorScript |
agent |
The name of the Collector Script used by the Collector to generate this event. |
Y |
|
Y |
|
ConnectorId |
rv23 |
Unique identifier for the Connector which generated this event. |
|
|
|
|
ControlMonitor |
rv27 |
Control categorization - level 2 |
Y |
|
|
|
ControlPack |
rv26 |
Control categorization - level 1 |
Y |
|
|
|
CorrelatedEventUuids |
ceu |
List of event UUIDs associated with this correlated event. Only relevant for correlated events. |
|
|
|
|
Criticality |
crt |
The criticality of the asset identified in this event. |
|
|
|
|
Ct1 |
ct1 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
|
Ct2 |
ct2 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
|
Ct3 |
ct3 |
Reserved for use by customers for customer-specific data. (Number) |
|
|
|
|
CustomerHierarchyId |
rv1 |
Customer Hierarchy Id |
|
|
|
|
CustomerHierarchyLevel1 |
rv49 |
Customer Hierarchy Level 1 |
Y |
|
|
|
CustomerHierarchyLevel2 |
rv54 |
Customer Hierarchy Level 2 |
|
|
|
|
CustomerHierarchyLevel3 |
rv55 |
Customer Hierarchy Level 3 |
|
|
|
|
CustomerHierarchyLevel4 |
rv100 |
Customer Hierarchy Level 4 |
|
|
|
|
CustomerVar1-CustomerVar10 |
cv1-10 |
Reserved for use by customers for customer-specific data. (Number) |
Y |
|
Y |
|
CustomerVar100 |
cv100 |
Reserved for use by customers for customer-specific data. (String) |
Y |
|
|
|
CustomerVar101-CustomerVar130 |
cv101-130 |
Reserved for use by customers for customer-specific data. (Integer; Stored in DB) |
Y |
|
|
|
CustomerVar11-CustomerVar20 |
cv11-20 |
Reserved for use by customers for customer-specific data. (Date) |
Y |
|
|
|
CustomerVar131-140 |
cv131-140 |
Reserved for use by customers for customer-specific data. (IPv4; Stored in DB) |
Y |
|
|
|
CustomerVar141-150 |
cv141-150 |
Reserved for use by customers for customer-specific data. (String; Stored in DB) |
Y |
|
|
|
CustomerVar151-160 |
cv151-160 |
Reserved for use by customers for customer-specific data. (Integer; Not stored in DB) |
Y |
|
|
|
CustomerVar161-170 |
cv161-170 |
Reserved for use by customers for customer-specific data. (Date; Not stored in DB) |
Y |
|
|
|
CustomerVar171-180 |
cv171-180 |
Reserved for use by customers for customer-specific data. (UUID; Not stored in DB) |
Y |
|
|
|
CustomerVar181-190 |
cv181-190 |
Reserved for use by customers for customer-specific data. (IPv4; Not stored in DB) |
Y |
|
|
|
CustomerVar191-200 |
cv191-200 |
Reserved for use by customers for customer-specific data. (String; Not stored in DB) |
Y |
|
|
|
CustomerVar21-99 |
cv21-99 |
Reserved for use by customers for customer-specific data. (String) |
Y |
|
|
|
DataContext |
rv36 |
Container for the FileName data object (for example, a directory for a file or a database instance for a database table) |
Y |
|
Y |
|
DataTagId |
rv3 |
An Id for user-defined event tagging. |
|
|
|
|
DataValue43 |
rv43 |
Data Value. (String) |
Y |
|
|
|
DeviceAttackName |
rt1 |
Device specific attack name that matches attack name known by Advisor. (String) |
|
|
|
|
DeviceCategory |
rv32 |
Device category (FW, IDS, AV, OS, DB). |
|
|
|
|
DeviceEventTime |
det |
The normalized date and time of the event, as reported by the sensor. |
|
|
|
|
DeviceEventTimeString |
et |
The normalized date and time of the event, as reported by the sensor. |
|
|
|
|
DeviceName |
rv31 |
The name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. (String) |
Y |
Y |
|
|
EventTime |
dt
|
Time stamp of the event. It can be the Sentinel Log Manager server time stamp or the time stamp from the original event source (if is enabled) |
|
Y |
Y |
|
EffectiveUserDomain |
eudom |
The domain (namespace) in which the effective user account exists.. |
|
|
Y |
|
EffectiveUserID |
euid |
The source-specific identifier of the account that is effectively being used as determined by the Collector based on raw device data. |
|
|
Y |
|
EffectiveUserName |
euname |
The name of the account that is effectively being used. |
|
|
Y |
|
EndTime |
endt |
The date and time the event stopped occurring. |
|
|
|
|
EventContext |
rv33 |
Event context (threat level). |
Y |
|
|
|
EventGroupID |
evtgrpid |
A source-specific identifier to group multiple related events together. |
|
|
Y |
|
EventMetric |
rv2 |
An event-dependent numeric value. |
|
|
Y |
|
EventMetricClass |
rv28 |
The class of the event-dependent numeric value. |
|
|
|
|
EventName |
evt |
The descriptive name of the event as reported (or given) by the sensor. Example Port Scan. |
Y |
Y |
Y |
|
EventSourceId |
rv24 |
Unique identifier for the Event Source which generated this event. |
|
|
Y |
|
ExtendedInformation |
ei |
Stores additional Collector processed information. Values within this variable are separated by semi-colons (). |
Y |
|
Y |
|
FISMA |
cv93 |
Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation via an asset map. (String) |
|
|
|
|
GLBA |
cv92 |
Set to 1 if the asset is governed by the Gramm-Leach Bliley Act regulation via an asset map. (String) |
|
|
|
|
HIPAA |
cv91 |
Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation via an asset map. (String) |
|
|
|
|
InitAssetClass |
rv59 |
The class of the initiating system (desktop, server, etc). |
Y |
|
|
|
InitAssetCriticality |
rv62 |
The criticality of the initiating system (0-5). |
|
|
|
|
InitAssetDepartment |
rv76 |
The department of the initiating system. |
Y |
|
|
|
InitAssetFunction |
rv60 |
The function of the initiating system (fileserver, webserver, etc). |
Y |
|
|
|
InitAssetId |
rv77 |
Internal asset identifier of the initiator. |
|
|
|
|
InitFunction |
rv37 |
Initiator function. |
Y |
|
|
|
InitHostName |
shn |
The unqualified host name of the initiating system. |
|
Y |
Y |
|
InitHostDomain |
rv42 |
The domain portion of the initiating system's fully-qualified hostname. |
|
Y |
Y |
|
InitIP |
sip |
The IPv4 address of the initiating system. |
|
|
Y |
|
InitIPCountry |
rv29 |
The country where the IPv4 address of the initiating system is located. |
Y |
|
|
|
InitOperationalContext |
rv38 |
Initiator operational context. |
Y |
|
|
|
InitServiceComp |
isvcc |
The subcomponent of the initiating service that caused this event. |
Y |
|
|
|
InitServicePort |
spint |
The port used by the service/application that initiated the connection. |
|
|
Y |
|
InitServiceName |
sp |
The name of the initiating service that caused this event. |
|
|
Y |
|
InitThreatLevel |
rv34 |
Initiator threat level. |
|
|
|
|
InitUserDepartment |
iudep |
The department of the identity associated with the initiating account. |
Y |
|
|
|
InitUserDomain |
rv35 |
The domain (namespace) in which the initiating account exists. |
|
Y |
|
|
InitUserFullName |
iufname |
The full name of the identity associated with the initiating account. |
Y |
Y |
Y |
|
InitUserID |
iuid |
The initiating account's source-specific identifier as determined by the Collector based on raw device data. |
|
|
Y |
|
InitUserIdentity |
iuident |
The internal UUID of the identity associated with the initiating account. |
|
|
|
|
InitUserName |
sun |
The initiating user's account name (SourceUsername). |
|
Y |
Y |
|
MSSPCustomerName |
rv39 |
MSSP customer name. |
|
|
|
|
MaxRetentionDate165 |
rv165 |
Date this event's retention policy requires it to be deleted. (Date; Not stored in DB) |
|
|
|
|
Message |
msg |
Free-form message text for the event. |
Y |
Y |
Y |
|
MinRetentionDate164 |
rv164 |
Date this event's retention policy allows it to be deleted. (Date; Not stored in DB) |
|
|
Y |
|
NISPOM |
cv94 |
Set to 1 if the asset is governed by National Industrial Security Program Operating Manual (NISPOM) regulation via an asset map. (String) |
|
|
|
|
ObserverAssetClass |
obsclass |
The class of the observer's hardware platform (recommended: server, desktop, laptop, etc). |
Y |
|
|
|
ObserverAssetCriticality |
obscrit |
The criticality rating of the observer (recommended: low, med, high). |
|
|
|
|
ObserverAssetDepartment |
obsdep |
The department (or other organizational unit) that owns the observer system. |
Y |
|
|
|
ObserverAssetFunction |
obsfunc |
The primary function that the observer system performs (examples: web server, file server, IDS, etc). |
Y |
|
|
|
ObserverAssetId |
obsassetid |
Internal asset identifier of the observer. |
|
|
|
|
ObserverChannel |
rv150 |
The channel on which the observer delivered the event, for multi-channel protocols. An example would be the syslog facility. (String; Stored in DB) |
|
|
Y |
|
ObserverHostDomain |
obsdom |
The domain portion of the observer's (sensor) fully qualified hostname. |
|
|
Y |
|
ObserverHostName |
sn |
The unqualified hostname of the observer of the event (SensorName). |
|
|
Y |
|
ObserverIP |
obsip |
The IP address of the observer (sensor) that detected the event. |
|
|
Y |
|
ProductName |
pn |
Indicates the type, vendor and product code name of the sensor from which the event was generated. |
Y |
Y |
Y |
|
Protocol |
prot |
The protocol used between the initiating and target services. |
|
|
Y |
|
RepeatCount |
rc |
The number of times the same event occurred if multiple occurrences were consolidated. |
|
|
Y |
|
ReporterAssetClass |
repclass |
The class of the reporter's hardware platform (recommended: server, desktop, laptop, etc). |
Y |
|
|
|
ReporterAssetCriticality |
repcrit |
The criticality rating of the reporter (recommended: low, med, high). |
|
|
|
|
ReporterAssetDepartment |
repdep |
The department (or other organizational unit) that owns the reporter system. |
Y |
|
|
|
ReporterAssetFunction |
repfunc |
The primary function that the reporter system performs (examples: web server, file server, IDS, etc). |
Y |
|
|
|
ReporterAssetId |
repassetid |
Internal asset identifier of the reporter. |
|
|
|
|
ReporterHostName |
rn |
The unqualified hostname of the reporter of the event (ReporterName). |
|
|
Y |
|
ReporterHostDomain |
repdom |
The domain portion of the reporter's fully qualified hostname. |
|
|
Y |
|
ReporterIP |
repip |
The IP address of the reporter, i.e. the system that delivered the event to this server. |
|
|
Y |
|
Resource |
res |
The resource name. |
|
|
|
|
RetentionPolicyConflict |
rv101 |
Set to 1 (true) if more than one retention policy matched this event but only one was chosen. (Integer; Stored in DB) |
|
|
Y |
|
Rt2 |
rt2 |
Reserved by Novell for expansion. (String) |
|
|
|
|
Rt3 |
rt3 |
Reserved by Novell for expansion. (Number) |
|
|
|
|
SARBOX |
cv90 |
Set to 1 if the asset is governed by Sarbanes-Oxley via an asset map. (String) |
|
|
|
|
SensorType |
st |
The single character designator for the sensor type (N, H, O, V, C, W, A, I). |
|
|
|
|
Severity |
sev |
The normalized severity of the event (0-5). |
|
Y |
Y |
|
SentinelProcessTime |
spt |
The date and time this server received the event. |
|
|
|
|
SentinelServiceID |
src |
Unique identifier for the Sentinel service which generated this event. |
|
|
|
|
SubResource |
sres |
The sub-resource name. |
Y |
|
|
|
TargetAssetClass |
rv81 |
The class of the target system (desktop, server, etc). |
Y |
|
|
|
TargetAssetCriticality |
rv84 |
The criticality of the target system (0-5). |
|
|
|
|
TargetAssetDepartment |
rv98 |
The department of the target system. |
Y |
|
|
|
TargetAssetFunction |
rv82 |
The function of the target system (fileserver, webserver, etc). |
Y |
|
|
|
TargetAssetId |
rv99 |
Internal asset identifier of the target. |
|
|
|
|
TargetDataName |
fn |
The name of the data object (file, database table, directory object, etc) that was affected by this event. |
|
|
Y |
|
TargetFunction |
rv47 |
Target function. |
Y |
|
|
|
TargetIPCountry |
rv30 |
The country where the IPv4 address of the target system is located. |
Y |
|
|
|
TargetOperationalContext |
rv48 |
Target operational context. |
Y |
|
|
|
TargetServiceComp |
tsvcc |
The subcomponent of the target service affected by this event. |
Y |
|
|
|
TargetThreatLevel |
rv44 |
Target threat level. |
|
|
|
|
TargetUserDepartment |
tudep |
The department of the identity associated with the target account. |
Y |
|
|
|
TargetUserFullName |
tufname |
The full name of the identity associated with the target account. |
Y |
|
|
|
TargetUserIdentity |
tuident |
The internal UUID of the identity associated with the target account. |
|
|
|
|
TargetUserName |
dun |
The target user's account name (DestinationUsername). |
|
Y |
Y |
|
TargetUserID |
tuid |
The target account's source-specific identifier as determined by the Collector based on raw device data. |
|
|
Y |
|
TargetUserDomain |
rv45 |
The domain (namespace) in which the target account exists. |
|
|
Y |
|
TargetHostName |
dhn |
The unqualified hostname of the target system. |
|
Y |
Y |
|
TargetHostDomain |
rv41 |
The domain portion of the target system's fully-qualified hostname. |
|
Y |
Y |
|
TargetIP |
dip |
The IPv4 address of the target system. |
|
|
Y |
|
TargetServicePort |
dpint |
The network port accessed on the target. |
|
|
Y |
|
TargetServiceName |
dp |
The name of the target service affected by this event. |
|
|
Y |
|
TargetTrustName |
ttn |
The name of the trust (group, role, profile, etc) affected. |
|
|
|
|
TargetTrustID |
ttid |
The source-specific identifier of the trust (group, role, profile, etc) affected. |
|
|
|
|
TargetTrustDomain |
ttd |
The domain (namespace) within which the target trust exists. |
|
|
|
|
TaxonomyLevel1 |
rv50 |
Event code categorization - level 1. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
|
TaxonomyLevel2 |
rv51 |
Event code categorization - level 2. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
|
TaxonomyLevel3 |
rv52 |
Event code categorization - level 3. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
|
TaxonomyLevel4 |
rv53 |
Event code categorization - level 4. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
|
VendorEventCode |
rv40 |
Event code reported by device vendor. (String) |
|
|
|
|
VirusStatus |
rv46 |
Virus status. |
|
|
|
|
Vulnerability |
vul |
The vulnerability of the asset identified in this event. |
|
|
|
|
XDASClass |
xdasclass |
The XDAS Event Class ID; refer to XDAS specification. |
|
|
|
|
XDASDetail |
xdasdetail |
The XDAS outcome detail; refer to XDAS specification. |
|
|
|
|
XDASIdentifier |
xdasid |
The XDAS Event Identifier; refer to XDAS specification. |
|
|
|
|
XDASOutcome |
xdasoutcome |
The XDAS major outcome; success, failure, or denial. |
|
|
|
|
XDASOutcomeName |
xdasoutcomename |
Human-readable XDAS outcome. |
Y |
Y |
|
|
XDASProvider |
xdasprov |
The XDAS Provider ID; refer to XDAS specification. |
|
|
|
|
XDASRegistry |
xdasreg |
The XDAS Registry ID; refer to XDAS specification. |
|
|
|
|
XDASTaxonomyName |
xdastaxname |
Human-readable XDAS event taxonomy string. |
Y |
Y |
|