Meta-tags

Meta-tags store meta data. Meta-data is information about data and pre-defined variable names. For Example, the Source IP of an attack is mapped to SIP meta-tag and Product names are mapped to PN meta-tag. Data into meta-tags can be populated either from device log data or is set as part of the Collector processing.

For information on the Event Configuration and mapping feature in the Sentinel Control Center, see Admin tab documentation.

The value in the Collector Variable column is the name of the Collector variable to set in order to populate the corresponding Meta-tag. For more information about parsing commands, refer to Collector Parsing Commands and the documentation for specific Collectors.

The types specified in the Type column have the following properties:

NOTE: In the table below, Labels and Meta-tags are used in the Sentinel Control Center. Collector Variables are used in the Collector parsing language. Not all meta-tags have a corresponding Collector Variable.

Label

Meta-tag

Type

Description

Collector Variable

CorrelatedEventUuids

ceu

string

List of event UUIDs associated with this correlated event. Only relevant for correlated events.

 

Criticality

crt

integer

The criticality of the asset identified in this event.

s_CRIT

Ct1 thru Ct2

(Reserved Customer)

ct1

thru

ct2

string

Reserved for use by customers for customer-specific data (String).

s_CT1

and

s_CT2

Ct3

(Reserved Customer)

ct3

integer

Reserved for use by customers for customer-specific data (Number).

s_CT3

CustomerVar1

thru

CustomerVar10

cv1

thru

cv10

integer

Reserved for use by customers for customer-specific data (Number).

s_CV1

thru

s_CV10

CustomerVar11

thru

CustomerVar20

cv11

thru

cv20

date

Reserved for use by customers for customer-specific data (Date).

s_CV11

thru

s_CV20

CustomerVar21

thru

CustomerVar29

cv21

thru

cv29

string

Reserved for use by customers for customer-specific data (String).

s_CV21

thru

s_CV29

CustomerVar30

thru

CustomerVar34

cv30

thru

cv34

string

Reserved for use by customers for customer-specific data (String). Can handle strings lengths up to 4000 characters.

s_CV30

thru

s_CV34

CustomerVar35

thru

CustomerVar89

cv35

thru

cv89

string

Reserved for use by customers for customer-specific data (String).

s_CV35

thru

s_CV89

SARBOX

cv90

string

Sarbanes Oxley specific data.

s_CV90

HIPAA

cv91

string

Health Insurance Portability and Accountability Act (HIPAA) specific data.

s_CV91

GLBA

cv92

string

Gramm-Leach-Bliley Act (GLBA) specific data.

s_CV92

FISMA

cv93

string

Federal Information Security Management Act (FISMA) specific data.

s_CV93

NISPOM

cv94

string

National Industrial Security Program Operating Manual (NISPOM) specific data.

s_CV94

SIPCountry

cv95

string

Country of source IP.

s_CV95

DIPCountry

cv96

string

Country of destination IP.

s_CV96

CustomerVar97

thru

CustomerVar100

cv97 thru cv100

string

Reserved for use by customers for customer-specific data (String).

s_CV97

thru

s_CV100

EventTime

dt

date

The normalized date and time of the event, as given by the Collector.

 

DestinationHostName

dhn

string

The destination host name to which the event was targeted.

s_DHN

DestinationIP

dip

IPv4

The destination IP address to which the event was targeted.

s_DIP

DestinationPortName

dp

string (32)

The destination port to which the event was targeted.

s_DP

DestinationUserName

dun

string

The destination user name on which an action was attempted. Example: Attempts to reset the password of root.

s_DUN

EventID

id

UUID

Unique identifier for this event.

 

DeviceEventTimeString

et

string

The normalized time of the event as reported by the sensor; parsed into the format: Y-M-D-H:M:S~AMPM24~TZ.

s_ET

EventName

evt

string

The descriptive name of the event as reported (or given) by the sensor. Example "Port Scan".

s_EVT

ExtendedInformation

ei

string (1000)

Stores additional Collector-collected information. Values within this variable are separated by semi-colons (;). Example: A domain for an ID or file names.

s_EI

FileName

fn

string (1000)

The name of the program executed or the file accessed, modified or affected. Example: The name of a virus-infected file or a program detected by an IDS.

s_FN

Message

msg

string (4000)

Free-form message text for the event.

s_BM

Protocol

prot

string

The network protocol of the event.

s_P

ProductName

pn

string

Indicates the type, vendor and product code name of the sensor from which the event was generated. Example: Check Point FireWall=CPFW.

s_PN

ReporterName

rn

string

The host name or IP address of the device to which an event was logged or from which notification of the event is sent.

s_RN

ReservedVar1

thru

ReservedVar10

rv1

thru

rv10

integer

Reserved by Novell for expansion (Number).

s_RV1

thru

s_RV10

ReservedVar11

thru

ReservedVar20

rv11

thru

rv20

date

Reserved by Novell for expansion (Date).

s_RV11

thru

s_RV20

ReservedVar21

thru

ReservedVar25

rv21

thru

rv25

UUID

Reserved by Novell for expansion (UUID).

s_RV21

thru

s_RV25

ControlPack

rv26

string

Sentinel control categorization level 1

s_RV26

ControlMonitor

rv27

string

Sentinel control categorization level 2

s_RV27

ReservedVar28

rv28

string

Reserved by Novell for expansion (String).

s_RV28

SourceIPCountry

rv29

string

Country of source IP address.

s_RV29

AttackID

rv30

string

Normalized Attack ID (Advisor attack ID)

s_RV30

DeviceName

rv31

string

Name of security device

s_RV31

DeviceCategory

rv32

string

Device category (AV, DB, ESEC, FW, IDS, OS).

AV: Anti-virus

DB: database

ESEC: system event

FW: firewall

IDS: intrusion detection

OS: operating system

s_RV32

EventContext

rv33

string

Event context (threat level).

s_RV33

SourceThreatLevel

rv34

string

Source threat level.

s_RV34

SourceUserContext

rv35

string

Source user context.

s_RV35

DataContext

rv36

string

Data context.

s_RV36

SourceFunction

rv37

string

Source function.

s_RV37

SourceOperationalContext

rv38

string

Source operational context.

s_RV38

MSSPCustomerName

rv39

string

MSSP customer name.

s_RV39

ReservedVar40

thru

ReservedVar43

rv40

thru

rv43

string

Reserved by Novell for expansion (String).

s_RV40

thru

s_RV43

DestinationThreatLevel

rv44

string

Destination threat level.

s_RV44

DestinationUserContext

rv45

string

Destination user context.

s_RV45

VirusStatus

rv46

string

Virus status.

s_RV46

DestinationFunction

rv47

string

Destination function.

s_RV47

DestinationOperationalContext

rv48

string

Destination operational context.

s_RV48

ReservedVar49

rv49

string

Reserved by Novell for expansion (String).

s_RV49

eSecTaxonomyLevel1

rv50

string

Sentinel event code categorization - level 1.

s_RV50

eSecTaxonomyLevel2

rv51

string

Sentinel event code categorization - level 2.

s_RV51

eSecTaxonomyLevel3

rv52

string

Sentinel event code categorization - level 3.

s_RV52

eSecTaxonomyLevel4

rv53

string

Sentinel event code categorization - level 4.

s_RV53

ReservedVar54

thru

ReservedVar55

rv54 thru rv55

string

Reserved by Novell for expansion (String).

s_RV54

thru

s_RV55

SourceAssetName

rv56

string

Source (Asset Mgmt) Asset Name

s_RV56

SourceMacAddress

rv57

string

Source (Asset Mgmt) Mac Address

s_RV57

SourceNetworkIdentity

rv58

string

Source (Asset Mgmt) Network Identity

s_RV58

SourceAssetCategory

rv59

string

Source (Asset Mgmt) Asset Category

s_RV59

SourceEnvironmentIdentity

rv60

string

Source (Asset Mgmt) Environment Identity

s_RV60

SourceAssetValue

rv61

string

Source (Asset Mgmt) - AssetValue

s_RV61

SourceCriticality

rv62

string

Source (Asset Mgmt) - Criticality

s_RV62

SourceSensitivity

rv63

string

Source (Asset Mgmt) - Sensitivity

s_RV63

SourceBuilding

rv64

string

Source (Asset Mgmt) - Building

s_RV64

SourceRoom

rv65

string

Source (Asset Mgmt) - Room

s_RV65

SourceRackNumber

rv66

string

Source (Asset Mgmt) Rack Number

s_RV66

SourceCity

rv67

string

Source (Asset Mgmt) - City

s_RV67

SourceState

rv68

string

Source (Asset Mgmt) - State

s_RV68

SourceCountry

rv69

string

Source (Asset Mgmt) - Country

s_RV69

SourceZipCode

rv70

string

Source (Asset Mgmt) Zip Code

s_RV70

SourceAssetOwner

rv71

string

Source (Asset Mgmt) Asset Owner

s_RV71

SourceAssetMaintainer

rv72

string

Source (Asset Mgmt) Asset Maintainer

s_RV72

SourceBusinessUnit

rv73

string

Source (Asset Mgmt) Business Unit

s_RV73

SourceLineOfBusiness

rv74

string

Source (Asset Mgmt) Line of Business

s_RV74

SourceDivision

rv75

string

Source (Asset Mgmt) - Division

s_RV75

SourceDepartment

rv76

string

Source (Asset Mgmt) - Department

s_RV76

SourceAssetId

rv77

string

Source (Asset Mgmt) Source Asset Id

s_RV77

DestinationAssetName

rv78

string

Destination (Asset Mgmt) Asset Name

s_RV78

DestinationMacAddress

rv79

string

Destination (Asset Mgmt) Mac Address

s_RV79

DestinationNetworkIdentity

rv80

string

Destination (Asset Mgmt) Network Identity

s_RV80

DestinationAssetCategory

rv81

string

Destination (Asset Mgmt) Asset Category

s_RV81

DestinationEnvironmentIdentity

rv82

string

Destination (Asset Mgmt) Environment Identity

s_RV82

DestinationAssetValue

rv83

string

Destination (Asset Mgmt) Asset Value

s_RV83

DestinationCriticality

rv84

string

Destination (Asset Mgmt) - Criticality

s_RV84

DestinationSensitivity

rv85

string

Destination (Asset Mgmt) - Sensitivity

s_RV85

DestinationBuilding

rv86

string

Destination (Asset Mgmt) - Building

s_RV86

DestinationRoom

rv87

string

Destination (Asset Mgmt) - Room

s_RV87

DestinationRackNumber

rv88

string

Destination (Asset Mgmt) Rack Number

s_RV88

DestinationCity

rv89

string

Destination (Asset Mgmt) - City

s_RV89

DestinationState

rv90

string

Destination (Asset Mgmt) - State

s_RV90

DestinationCountry

rv91

string

Destination (Asset Mgmt) - Country

s_RV91

DestinationZipCode

rv92

string

Destination (Asset Mgmt) Zip Code

s_RV92

DestinationAssetOwner

rv93

string

Destination (Asset Mgmt) Asset Owner

s_RV93

DestinationAssetMaintainer

rv94

string

Destination (Asset Mgmt) Asset Maintainer

s_RV94

DestinationBusinessUnit

rv95

string

Destination (Asset Mgmt) Business Unit

s_RV95

DestinationLineOfBusiness

rv96

string

Destination (Asset Mgmt) Line of Business

s_RV96

DestinationDivision

rv97

string

Destination (Asset Mgmt) - Division

s_RV97

DestinationDepartment

rv98

string

Destination (Asset Mgmt) - Department

s_RV98

DestinationAssetId

rv99

string

Destination (Asset Mgmt) Destination Asset Id

s_RV99

ReservedVar100

rv100

string

Reserved by Novell for expansion (String).

s_RV100

Resource

res

string

The resource name.

s_Res

DeviceAttackName

rt1

string

For use with Advisor. Attack name from Security Device.

s_RT1

Rt2

rt2

string

Populated with the correlation rule name when a correlation rule is generates an event.

s_RT2

Rt3

rt3

integer

Reserved by Novell for expansion (Number).

s_RT3

SourceHostName

shn

string

The source host name from which the event originated.

s_SHN

SourceID

src

UUID

Unique identifier for the Sentinel process that generated this event.

 

SourceIP

sip

IPv4

The source IP address from which the event originated

s_SIP

SensorName

sn

string

The name of the "ultimate detector" of the event when received in raw data. Example "FW1" for a firewall.

s_SN

Severity

sev

integer

The normalized severity of the event (0-5).

i_Severity

SourcePort

sp

string (32)

The source port from which the event originated.

s_SP

SensorType

st

string (5)

The single character designator for the sensor type (A, N, H, I, O, P, V, C, W).

A: Audit

C: Correlation

H: host-based

I: internal (system event)

N: network-based

O: Other

P: performance (system event)

V: Anti-virus

W: Watchlist

s_ST

SourceUserName

sun

string

The source user name used to initiate an event. Example "jdoe" during an attempt to "su".

s_SUN

SubResource

sres

string

The sub-resource name.

s_SubRes

Vulnerability

vul

integer

The vulnerability of the asset identified in this event.

s_VULN

Collector Script

agent

string (64)

Sentinel Collector that generated the event. For system events, Collector will be either Performance or Internal.

Not Applicable

Collector

port

string (64)

Sentinel Collector port description.

Not Applicable

DeviceEventTime

det

Date

The time that the device reported the event to occur. This is the same value that is in the et field, but has type Date instead of String. This field is needed because the type String is hard to build good Date criteria on.

Not Applicable

SentinelProcessTime

spt

Date

The time that Sentinel received the event. This will be the same value of dt, if Trust event time is not selected.

Not Applicable

BeginTime

bgnt

Date

The date and time the event started occurring.

s_BGNT

EndTime

endt

Date

The date and time the event stopped occurring.

s_ENDT

RepeatCount

rc

integer

If the same event occurred repeatedly, and if we are not going to create a separate event for each occurrence, this field will hold the count of how many occurrences of the event occurred.

s_RC

DestinationPort

dpint

integer

The destination port to which the event was targeted.

s_DPINT

SourcePort

spint

integer

The source port from which the event originated.

s_SPINT