Meta-tags store meta-data. Meta-data is information about data and pre-defined variable names. For Example, the Source IP of an attack is mapped to SIP meta-tag and Product names are mapped to PN meta-tag. Data into meta-tags can be populated either from device log data or is set as part of the Collector processing.
For information on the Event Configuration and mapping feature in the Sentinel Control Center, see Admin tab documentation.
The value in the Collector Variable column is the name of the Collector variable to set in order to populate the corresponding Meta-tag. For more information about parsing commands, see Collector Parsing Commands and the documentation for specific Collectors.
The types specified in the Type column have the following properties:
string: limited to 255 characters (unless otherwise specified)
integer: 32 bit signed integer
UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, - 6A5349DA-7CBF-1028-9795-000BCDFFF482)
date: Collector Variable must be set with date as number of milliseconds since January 1, 1970 00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date will be displayed in a regular date format.
IPv4: IP address in dotted decimal notation (that is xxx.xxx.xxx.xxx)
NOTE: In the table below, Labels and Meta-tags are used in the Sentinel Control Center. Collector Variables are used in the Collector parsing language. Not all meta-tags have a corresponding Collector Variable.
Label |
Meta-tag |
Type |
Description |
Collector Variable |
Severity |
sev |
integer |
The normalized severity of the event (0-5). |
i_Severity |
Vulnerability |
vul |
integer |
The vulnerability of the asset identified in this event. |
s_VULN |
Criticality |
crt |
integer |
The criticality of the asset identified in this event. |
s_CRIT |
EventTime |
dt |
date |
The normalized date and time of the event, as given by the collector. |
|
SourceIP |
sip |
IPv4 |
The source IP address from which the event originated. |
s_SIP |
DestinationIP |
dip |
IPv4 |
The destination IP address to which the event was targeted. |
s_DIP |
EventID |
id |
UUID |
Unique identifier for this event. |
|
SourceID |
src |
UUID |
Unique identifier for the Sentinel service which generated this event. |
|
Collector |
port |
string |
Name of the Collector that generated this event. |
Not Applicable |
CollectorScript |
agent |
string |
The name of the Collector Script used by the Collector to generate this event. |
Not Applicable |
Resource |
res |
string |
Compliance monitoring hierarchy level 1 |
s_RES |
SubResource |
sres |
string |
Compliance monitoring hierarchy level 2 |
s_SubRes |
EventName |
evt |
string |
The descriptive name of the event as reported (or given) by the sensor. Example Port Scan. |
s_EVT |
SensorName |
sn |
string |
The name of the ultimate detector of the event when received in raw data. Example FW1 for a firewall. |
s_SN |
SensorType |
st |
string |
The single character designator for the sensor type (N, H, O, V, C, A, I). |
s_ST |
DeviceEventTime |
det |
date |
The normalized date and time of the event, as reported by the sensor. |
|
Protocol |
prot |
string |
The network protocol of the event. |
s_P |
SourceHostName |
shn |
string |
The source host name from which the event originated. |
s_SHN |
SourcePort |
spint |
integer |
The source port from which the event originated. |
s_SPINT |
DestinationHostName |
dhn |
string |
The destination host name to which the event was targeted. |
s_DHN |
DestinationPort |
dpint |
integer |
The destination port to which the event was targeted. |
s_DPINT |
SourceUserName |
sun |
string |
The source user name used to initiate an event. Example jdoe during an attempt to su. |
s_SUN |
DestinationUserName |
dun |
string |
The destination user name on which an action was attempted. Example root during a password reset. |
s_DUN |
FileName |
fn |
string |
The name of the program executed or the file accessed, modified or affected. |
s_FN |
ExtendedInformation |
ei |
string |
Stores additional collector processed information. Values within this variable are separated by semi-colons (). |
s_EI |
ReporterName |
rn |
string |
The host name or IP address of the device to which an event was logged or from which notification of the event is sent. |
s_RN |
ProductName |
pn |
string |
Indicates the type, vendor and product code name of the sensor from which the event was generated. |
s_PN |
Message |
msg |
string |
Free-form message text for the event. |
s_BM |
DeviceAttackName |
rt1 |
string |
Device specific attack name that matches attack name known by Advisor. (String) |
s_RT1 |
Rt2 |
rt2 |
string |
Reserved by Novell for expansion. (String) |
s_RT2 |
Ct1 thru Ct2 |
ct1 thru ct2 |
string |
Reserved for use by customers for customer-specific data. (String) |
s_CT1 and s_CT2 |
Rt3 |
rt3 |
integer |
Reserved by Novell for expansion. (Number) |
|
Ct3 |
ct3 |
integer |
Reserved for use by customers for customer-specific data. (Number) |
s_CT3 |
CorrelatedEventUuids |
ceu |
string |
List of event UUIDs associated with this correlated event. Only relevant for correlated events. |
s_RT3 |
CustomerHierarchyId |
rv1 |
integer |
Customer Hierarchy Id |
s_RV1 |
ReservedVar2 thru ReservedVar10 |
rv2 thru rv10 |
integer |
Reserved by Novell for expansion. (Number) |
s_RV2 thru s_RV10 |
ReservedVar11 thru ReservedVar20 |
rv11 thru rv20 |
date |
Reserved by Novell for expansion. (Date) |
s_RV11 thru s_RV20 |
CollectorManagerId |
rv21 |
UUID |
Unique identifier for the Collector Manager which generated this event. |
s_RV21 |
CollectorId |
rv22 |
UUID |
Unique identifier for the Collector which generated this event. |
s_RV22 |
ConnectorId |
rv23 |
UUID |
Unique identifier for the Connector which generated this event. |
s_RV23 |
EventSourceId |
rv24 |
UUID |
Unique identifier for the Event Source which generated this event. |
s_RV24 |
RawDataRecordId |
rv25 |
UUID |
Unique identifier for the Raw Data Record associated with this event. |
s_RV25 |
ControlPack |
rv26 |
string |
Not currently in use |
s_RV26 |
ControlMonitor |
rv27 |
string |
Not currently in use |
s_RV27
|
ReservedVar28 |
rv28 |
string |
Reserved by Novell for expansion. (String) |
s_RV28
|
SourceIPCountry |
rv29 |
string |
Country of source IP address. |
s_RV29 |
AttackId |
rv30 |
string |
Normalized Attack Id. This is taken from Advisor data. (String) |
s_RV30
|
DeviceName |
rv31 |
string |
The name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. (String) |
s_RV31
|
DeviceCategory |
rv32 |
string |
Device category (FW, IDS, AV, OS, DB). |
s_RV32
|
EventContext |
rv33 |
string |
Event context (threat level). |
s_RV33
|
SourceThreatLevel |
rv34 |
string |
Source threat level. |
s_RV34
|
SourceUserContext |
rv35 |
string |
Source user context. |
s_RV35
|
DataContext |
rv36 |
string |
Data context. |
s_RV36
|
SourceFunction |
rv37 |
string |
Source function. |
s_RV37
|
SourceOperationalContext |
rv38 |
string |
Source operational context. |
s_RV38
|
MSSPCustomerName |
rv39 |
string |
MSSP customer name. |
s_RV39 |
VendorEventCode |
rv40 |
string |
Event code reported by device vendor. (String) |
s_RV40
|
DestinationDomain |
rv41 |
string |
Destination Domain. (String) |
s_RV41 |
SourceDomain |
rv42 |
string |
Source Domain. (String) |
s_RV42 |
ReservedVar43 |
rv43 |
string |
Reserved by Novell for expansion. (String) |
s_RV43 |
DestinationThreatLevel |
rv44 |
string |
Destination threat level. |
s_RV44
|
DestinationUserContext |
rv45 |
string |
Destination user context. |
s_RV45
|
VirusStatus |
rv46 |
string |
Virus status. |
s_RV46
|
DestinationFunction |
rv47 |
string |
Destination function. |
s_RV47
|
DestinationOperationalContext |
rv48 |
string |
Destination operational context. |
s_RV48
|
CustomerHierarchyLevel1 |
rv49 |
string |
Customer Hierarchy Level 1 (used by MSSPs) |
s_RV49
|
eSecTaxonomyLevel1 |
rv50 |
string |
Sentinel event code categorization - level 1. |
s_RV50
|
eSecTaxonomyLevel2 |
rv51 |
string |
Sentinel event code categorization - level 2. |
s_RV51
|
eSecTaxonomyLevel3 |
rv52 |
string |
Sentinel event code categorization - level 3. |
s_RV52
|
eSecTaxonomyLevel4 |
rv53 |
string |
Sentinel event code categorization - level 4. |
s_RV53
|
CustomerHierarchyLevel2 |
rv54 |
string |
Customer Hierarchy Level 2 (used by MSSPs) |
s_RV54
|
CustomerHierarchyLevel3 |
rv55 |
string |
Customer Hierarchy Level 3 (used by MSSPs) |
s_RV55 |
SourceAssetName |
rv56 |
string |
Source Asset Name. Part of source host asset data. (String) |
s_RV56
|
SourceMacAddress |
rv57 |
string |
Source Mac Address. Part of source host asset data. (String) |
s_RV57
|
SourceNetworkIdentity |
rv58 |
string |
Source Network Identity. Part of source host asset data. (String) |
s_RV58
|
SourceAssetCategory |
rv59 |
string |
Source Asset Category. Part of source host asset data. (String) |
s_RV59
|
SourceEnvironmentIdentity |
rv60 |
string |
Source Environment Identity. Part of source host asset data. (String) |
s_RV60
|
SourceAssetValue |
rv61 |
string |
Source Asset Value. Part of source host asset data. (String) |
s_RV61
|
SourceCriticality |
rv62 |
string |
Source Criticality. Part of source host asset data. (String) |
s_RV62
|
SourceSensitivity |
rv63 |
string |
Source Sensitivity. Part of source host asset data. (String) |
s_RV63
|
SourceBuilding |
rv64 |
string |
Source Building. Part of source host asset data. (String) |
s_RV64
|
SourceRoom |
rv65 |
string |
Source Room. Part of source host asset data. (String) |
s_RV65
|
SourceRackNumber |
rv66 |
string |
Source Rack Number. Part of source host asset data. (String) |
s_RV66
|
SourceCity |
rv67 |
string |
Source City. Part of source host asset data. (String) |
s_RV67
|
SourceState |
rv68 |
string |
Source State. Part of source host asset data. (String) |
s_RV68
|
SourceCountry |
rv69 |
string |
Source Country. Part of source host asset data. (String) |
s_RV69
|
SourceZipCode |
rv70 |
string |
Source Zip Code. Part of source host asset data. (String) |
s_RV70 |
SourceAssetOwner |
rv71 |
string |
Source Asset Owner. Part of source host asset data. (String) |
s_RV71
|
SourceAssetMaintainer |
rv72 |
string |
Source Asset Maintainer. Part of source host asset data. (String) |
s_RV72
|
SourceBusinessUnit |
rv73 |
string |
Source Business Unit. Part of source host asset data. (String) |
s_RV73
|
SourceLineOfBusiness |
rv74 |
string |
Source Line Of Business. Part of source host asset data. (String) |
s_RV74
|
SourceDivision |
rv75 |
string |
Source Division. Part of source host asset data. (String) |
s_RV75
|
SourceDepartment |
rv76 |
string |
Source Department. Part of source host asset data. (String) |
s_RV76
|
SourceAssetId |
rv77 |
string |
Source Asset Id. Part of source host asset data. (String) |
s_RV77
|
DestinationAssetName |
rv78 |
string |
Destination Asset Name. Part of destination host asset data. (String) |
s_RV78
|
DestinationMacAddress |
rv79 |
string |
Destination Mac Address. Part of destination host asset data. (String) |
s_RV79
|
DestinationNetworkIdentity |
rv80 |
string |
Destination Network Identity. Part of destination host asset data. (String) |
s_RV80
|
DestinationAssetCategory |
rv81 |
string |
Destination Asset Category. Part of destination host asset data. (String) |
s_RV81
|
DestinationEnvironmentIdentity |
rv82 |
string |
Destination Environment Identity. Part of destination host asset data. (String) |
s_RV82
|
DestinationAssetValue |
rv83 |
string |
Destination Asset Value. Part of destination host asset data. (String) |
s_RV83
|
DestinationCriticality |
rv84 |
string |
Destination Criticality. Part of destination host asset data. (String) |
s_RV84
|
DestinationSensitivity |
rv85 |
string |
Destination Sensitivity. Part of destination host asset data. (String) |
s_RV85 |
DestinationBuilding |
rv86 |
string |
Destination Building. Part of destination host asset data. (String) |
s_RV86
|
DestinationRoom |
rv87 |
string |
Destination Room. Part of destination host asset data. (String) |
s_RV87
|
DestinationRackNumber |
rv88 |
string |
Destination Rack Number. Part of destination host asset data. (String) |
s_RV88
|
DestinationCity |
rv89 |
string |
Destination City. Part of destination host asset data. (String) |
s_RV89
|
DestinationState |
rv90 |
string |
Destination State. Part of destination host asset data. (String) |
s_RV90
|
DestinationCountry |
rv91 |
string |
Destination Country. Part of destination host asset data. (String) |
s_RV91
|
DestinationZipCode |
rv92 |
string |
Destination Zip Code. Part of destination host asset data. (String) |
s_RV92
|
DestinationAssetOwner |
rv93 |
string |
Destination Asset Owner. Part of destination host asset data. (String) |
s_RV93
|
DestinationAssetMaintainer |
rv94 |
string |
Destination Asset Maintainer. Part of destination host asset data. (String) |
s_RV94
|
DestinationBusinessUnit |
rv95 |
string |
Destination Business Unit. Part of destination host asset data. (String) |
s_RV95
|
DestinationLineOfBusiness |
rv96 |
string |
Destination Line Of Business. Part of destination host asset data. (String) |
s_RV96
|
DestinationDivision |
rv97 |
string |
Destination Division. Part of destination host asset data. (String) |
s_RV97
|
DestinationDepartment |
rv98 |
string |
Destination Department. Part of destination host asset data. (String) |
s_RV98
|
DestinationAssetId |
rv99 |
string |
Destination Asset Id. Part of destination host asset data. (String) |
s_RV99
|
CustomerHierarchyLevel4 |
rv100 |
string |
Customer Hierarchy Level 4 (used by MSSPs) |
s_RV100 |
CustomerVar1 thru CustomerVar10 |
cv1 thru cv10 |
integer |
Reserved for use by customers for customer-specific data. (Number) |
s_CV1 thru s_CV10 |
CustomerVar11 thru CustomerVar20 |
cv11 thru cv20 |
date |
Reserved for use by customers for customer-specific data. (Date) |
s_CV11 thru s_CV20 |
CustomerVar21 thru CustomerVar29 |
cv21 thru cv29 |
string |
Reserved for use by customers for customer-specific data. (String) |
s_CV21 thru s_CV29 |
CustomerVar30 thru CustomerVar34 |
cv30 thru cv34 |
string |
Reserved for use by customers for customer-specific data. (String) |
s_CV30 thru s_CV34 |
CustomerVar35 thru CustomerVar89 |
cv35 thru cv89 |
string |
Reserved for use by customers for customer-specific data. (String) |
s_CV35 thru s_CV89 |
SARBOX |
cv90 |
string |
Set to 1 if the asset is governed by Sarbanes-Oxley through an asset map. (String) |
s_CV90 |
HIPAA |
cv91 |
string |
Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation through an asset map. (String) |
s_CV91 |
GLBA |
cv92 |
string |
Set to 1 if the asset is governed by the Gramm-Leach Bliley Act regulation through an asset map. (String) |
s_CV92 |
FISMA |
cv93 |
string |
Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation through an asset map. (String) |
s_CV93 |
NISPOM |
cv94 |
string |
Set to 1 if the asset is governed by National Industrial Security Program Operating Manual (NISPOM) regulation through an asset map. (String) |
s_CV94 |
SIPCountry |
cv95 |
string |
Source Country based on Source Ip. (String) |
s_CV95 |
DIPCountry |
cv96 |
string |
Destination Country based on Destination Ip. (String) |
s_CV96 |
CustomerVar97 thru CustomerVar100 |
cv97 thru cv100 |
string |
Reserved for use by customers for customer-specific data. (String) |
s_CV97 thru s_CV100 |
DeviceEventTimeString |
et |
string |
The normalized date and time of the event, as reported by the sensor. |
s_ET |
SentinelProcessTime |
spt |
date |
The date and time Sentinel received the event. |
Not Applicable |
BeginTime |
bgnt |
date |
The date and time the event started occurring. |
s_BGNT |
EndTime |
endt |
date |
The date and time the event stopped occurring. |
s_ENDT |
RepeatCount |
rc |
integer |
The number of times the same event occurred if multiple occurrences were consolidated. |
s_RC |
SourcePortName |
sp |
string |
The source port from which the event originated. |
s_SP |
DestinationPortName |
dp |
string |
The destination port to which the event was targeted. |
s_DP |