Meta-tags store meta data. Meta-data is information about data and pre-defined variable names. For Example, the Source IP of an attack is mapped to SIP meta-tag and Product names are mapped to PN meta-tag. Data into meta-tags can be populated either from device log data or is set as part of the Collector processing.
For information on the Event Configuration and mapping feature in the Sentinel Control Center, see Admin tab documentation.
The value in the Collector Variable column is the name of the Collector variable to set in order to populate the corresponding Meta-tag. For more information about parsing commands, refer to Collector Parsing Commands and the documentation for specific Collectors.
The types specified in the Type column have the following properties:
string limited to 255 characters (unless otherwise specified)
integer 32 bit signed integer
UUID 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (e.g. - 6A5349DA-7CBF-1028-9795-000BCDFFF482)
date Collector Variable must be set with date as number of milliseconds since January 1, 1970 00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date will be displayed in a regular date format.
IPv4 IP address in dotted decimal notation (i.e. xxx.xxx.xxx.xxx)
NOTE: In the table below, Labels and Meta-tags are used in the Sentinel Control Center. Collector Variables are used in the Collector parsing language. Not all meta-tags have a corresponding Collector Variable.
Label |
Meta-tag |
Type |
Description |
Collector Variable |
CorrelatedEventUuids |
ceu |
string |
List of event UUIDs associated with this correlated event. Only relevant for correlated events. |
|
Criticality |
crt |
integer |
The criticality of the asset identified in this event. |
s_CRIT |
Ct1 thru Ct2 (Reserved Customer) |
ct1 thru ct2 |
string |
Reserved for use by customers for customer-specific data (String). |
s_CT1 and s_CT2 |
Ct3 (Reserved Customer) |
ct3 |
integer |
Reserved for use by customers for customer-specific data (Number). |
s_CT3 |
CustomerVar1 thru CustomerVar10 |
cv1 thru cv10 |
integer |
Reserved for use by customers for customer-specific data (Number). |
s_CV1 thru s_CV10 |
CustomerVar11 thru CustomerVar20 |
cv11 thru cv20 |
date |
Reserved for use by customers for customer-specific data (Date). |
s_CV11 thru s_CV20 |
CustomerVar21 thru CustomerVar29 |
cv21 thru cv29 |
string |
Reserved for use by customers for customer-specific data (String). |
s_CV21 thru s_CV29 |
CustomerVar30 thru CustomerVar34 |
cv30 thru cv34 |
string |
Reserved for use by customers for customer-specific data (String). Can handle strings lengths up to 4000 characters. |
s_CV30 thru s_CV34 |
CustomerVar35 thru CustomerVar89 |
cv35 thru cv89 |
string |
Reserved for use by customers for customer-specific data (String). |
s_CV35 thru s_CV89 |
SARBOX |
cv90 |
string |
Sarbanes Oxley specific data. |
s_CV90 |
HIPAA |
cv91 |
string |
Health Insurance Portability and Accountability Act (HIPAA) specific data. |
s_CV91 |
GLBA |
cv92 |
string |
Gramm-Leach-Bliley Act (GLBA) specific data. |
s_CV92 |
FISMA |
cv93 |
string |
Federal Information Security Management Act (FISMA) specific data. |
s_CV93 |
NISPOM |
cv94 |
string |
National Industrial Security Program Operating Manual (NISPOM) specific data. |
s_CV94 |
SIPCountry |
cv95 |
string |
Country of source IP. |
s_CV95 |
DIPCountry |
cv96 |
string |
Country of destination IP. |
s_CV96 |
CustomerVar97 thru CustomerVar100 |
cv97 thru cv100 |
string |
Reserved for use by customers for customer-specific data (String). |
s_CV97 thru s_CV100 |
EventTime |
dt |
date |
The normalized date and time of the event, as given by the Collector. |
|
DestinationHostName |
dhn |
string |
The destination host name to which the event was targeted. |
s_DHN |
DestinationIP |
dip |
IPv4 |
The destination IP address to which the event was targeted. |
s_DIP |
DestinationPortName |
dp |
string (32) |
The destination port to which the event was targeted. |
s_DP |
DestinationUserName |
dun |
string |
The destination user name on which an action was attempted. Example: Attempts to reset the password of root. |
s_DUN |
EventID |
id |
UUID |
Unique identifier for this event. |
|
DeviceEventTimeString |
et |
string |
The normalized time of the event as reported by the sensor; parsed into the format: Y-M-D-H:M:S~AMPM24~TZ. |
s_ET |
EventName |
evt |
string |
The descriptive name of the event as reported (or given) by the sensor. Example "Port Scan". |
s_EVT |
ExtendedInformation |
ei |
string (1000) |
Stores additional Collector-collected information. Values within this variable are separated by semi-colons (;). Example: A domain for an ID or file names. |
s_EI |
FileName |
fn |
string (1000) |
The name of the program executed or the file accessed, modified or affected. Example: The name of a virus-infected file or a program detected by an IDS. |
s_FN |
Message |
msg |
string (4000) |
Free-form message text for the event. |
s_BM |
Protocol |
prot |
string |
The network protocol of the event. |
s_P |
ProductName |
pn |
string |
Indicates the type, vendor and product code name of the sensor from which the event was generated. Example: Check Point FireWall=CPFW. |
s_PN |
ReporterName |
rn |
string |
The host name or IP address of the device to which an event was logged or from which notification of the event is sent. |
s_RN |
ReservedVar1 thru ReservedVar10 |
rv1 thru rv10 |
integer |
Reserved by Novell for expansion (Number). |
s_RV1 thru s_RV10 |
ReservedVar11 thru ReservedVar20 |
rv11 thru rv20 |
date |
Reserved by Novell for expansion (Date). |
s_RV11 thru s_RV20 |
ReservedVar21 thru ReservedVar25 |
rv21 thru rv25 |
UUID |
Reserved by Novell for expansion (UUID). |
s_RV21 thru s_RV25 |
ControlPack |
rv26 |
string |
Sentinel control categorization level 1 |
s_RV26 |
ControlMonitor |
rv27 |
string |
Sentinel control categorization level 2 |
s_RV27 |
ReservedVar28 |
rv28 |
string |
Reserved by Novell for expansion (String). |
s_RV28 |
SourceIPCountry |
rv29 |
string |
Country of source IP address. |
s_RV29 |
AttackID |
rv30 |
string |
Normalized Attack ID (Advisor attack ID) |
s_RV30 |
DeviceName |
rv31 |
string |
Name of security device |
s_RV31 |
DeviceCategory |
rv32 |
string |
Device category (AV, DB, ESEC, FW, IDS, OS). AV: Anti-virus DB: database ESEC: system event FW: firewall IDS: intrusion detection OS: operating system |
s_RV32 |
EventContext |
rv33 |
string |
Event context (threat level). |
s_RV33 |
SourceThreatLevel |
rv34 |
string |
Source threat level. |
s_RV34 |
SourceUserContext |
rv35 |
string |
Source user context. |
s_RV35 |
DataContext |
rv36 |
string |
Data context. |
s_RV36 |
SourceFunction |
rv37 |
string |
Source function. |
s_RV37 |
SourceOperationalContext |
rv38 |
string |
Source operational context. |
s_RV38 |
MSSPCustomerName |
rv39 |
string |
MSSP customer name. |
s_RV39 |
ReservedVar40 thru ReservedVar43 |
rv40 thru rv43 |
string |
Reserved by Novell for expansion (String). |
s_RV40 thru s_RV43 |
DestinationThreatLevel |
rv44 |
string |
Destination threat level. |
s_RV44 |
DestinationUserContext |
rv45 |
string |
Destination user context. |
s_RV45 |
VirusStatus |
rv46 |
string |
Virus status. |
s_RV46 |
DestinationFunction |
rv47 |
string |
Destination function. |
s_RV47 |
DestinationOperationalContext |
rv48 |
string |
Destination operational context. |
s_RV48 |
ReservedVar49 |
rv49 |
string |
Reserved by Novell for expansion (String). |
s_RV49 |
eSecTaxonomyLevel1 |
rv50 |
string |
Sentinel event code categorization - level 1. |
s_RV50 |
eSecTaxonomyLevel2 |
rv51 |
string |
Sentinel event code categorization - level 2. |
s_RV51 |
eSecTaxonomyLevel3 |
rv52 |
string |
Sentinel event code categorization - level 3. |
s_RV52 |
eSecTaxonomyLevel4 |
rv53 |
string |
Sentinel event code categorization - level 4. |
s_RV53 |
ReservedVar54 thru ReservedVar55 |
rv54 thru rv55 |
string |
Reserved by Novell for expansion (String). |
s_RV54 thru s_RV55 |
SourceAssetName |
rv56 |
string |
Source (Asset Mgmt) Asset Name |
s_RV56 |
SourceMacAddress |
rv57 |
string |
Source (Asset Mgmt) Mac Address |
s_RV57 |
SourceNetworkIdentity |
rv58 |
string |
Source (Asset Mgmt) Network Identity |
s_RV58 |
SourceAssetCategory |
rv59 |
string |
Source (Asset Mgmt) Asset Category |
s_RV59 |
SourceEnvironmentIdentity |
rv60 |
string |
Source (Asset Mgmt) Environment Identity |
s_RV60 |
SourceAssetValue |
rv61 |
string |
Source (Asset Mgmt) - AssetValue |
s_RV61 |
SourceCriticality |
rv62 |
string |
Source (Asset Mgmt) - Criticality |
s_RV62 |
SourceSensitivity |
rv63 |
string |
Source (Asset Mgmt) - Sensitivity |
s_RV63 |
SourceBuilding |
rv64 |
string |
Source (Asset Mgmt) - Building |
s_RV64 |
SourceRoom |
rv65 |
string |
Source (Asset Mgmt) - Room |
s_RV65 |
SourceRackNumber |
rv66 |
string |
Source (Asset Mgmt) Rack Number |
s_RV66 |
SourceCity |
rv67 |
string |
Source (Asset Mgmt) - City |
s_RV67 |
SourceState |
rv68 |
string |
Source (Asset Mgmt) - State |
s_RV68 |
SourceCountry |
rv69 |
string |
Source (Asset Mgmt) - Country |
s_RV69 |
SourceZipCode |
rv70 |
string |
Source (Asset Mgmt) Zip Code |
s_RV70 |
SourceAssetOwner |
rv71 |
string |
Source (Asset Mgmt) Asset Owner |
s_RV71 |
SourceAssetMaintainer |
rv72 |
string |
Source (Asset Mgmt) Asset Maintainer |
s_RV72 |
SourceBusinessUnit |
rv73 |
string |
Source (Asset Mgmt) Business Unit |
s_RV73 |
SourceLineOfBusiness |
rv74 |
string |
Source (Asset Mgmt) Line of Business |
s_RV74 |
SourceDivision |
rv75 |
string |
Source (Asset Mgmt) - Division |
s_RV75 |
SourceDepartment |
rv76 |
string |
Source (Asset Mgmt) - Department |
s_RV76 |
SourceAssetId |
rv77 |
string |
Source (Asset Mgmt) Source Asset Id |
s_RV77 |
DestinationAssetName |
rv78 |
string |
Destination (Asset Mgmt) Asset Name |
s_RV78 |
DestinationMacAddress |
rv79 |
string |
Destination (Asset Mgmt) Mac Address |
s_RV79 |
DestinationNetworkIdentity |
rv80 |
string |
Destination (Asset Mgmt) Network Identity |
s_RV80 |
DestinationAssetCategory |
rv81 |
string |
Destination (Asset Mgmt) Asset Category |
s_RV81 |
DestinationEnvironmentIdentity |
rv82 |
string |
Destination (Asset Mgmt) Environment Identity |
s_RV82 |
DestinationAssetValue |
rv83 |
string |
Destination (Asset Mgmt) Asset Value |
s_RV83 |
DestinationCriticality |
rv84 |
string |
Destination (Asset Mgmt) - Criticality |
s_RV84 |
DestinationSensitivity |
rv85 |
string |
Destination (Asset Mgmt) - Sensitivity |
s_RV85 |
DestinationBuilding |
rv86 |
string |
Destination (Asset Mgmt) - Building |
s_RV86 |
DestinationRoom |
rv87 |
string |
Destination (Asset Mgmt) - Room |
s_RV87 |
DestinationRackNumber |
rv88 |
string |
Destination (Asset Mgmt) Rack Number |
s_RV88 |
DestinationCity |
rv89 |
string |
Destination (Asset Mgmt) - City |
s_RV89 |
DestinationState |
rv90 |
string |
Destination (Asset Mgmt) - State |
s_RV90 |
DestinationCountry |
rv91 |
string |
Destination (Asset Mgmt) - Country |
s_RV91 |
DestinationZipCode |
rv92 |
string |
Destination (Asset Mgmt) Zip Code |
s_RV92 |
DestinationAssetOwner |
rv93 |
string |
Destination (Asset Mgmt) Asset Owner |
s_RV93 |
DestinationAssetMaintainer |
rv94 |
string |
Destination (Asset Mgmt) Asset Maintainer |
s_RV94 |
DestinationBusinessUnit |
rv95 |
string |
Destination (Asset Mgmt) Business Unit |
s_RV95 |
DestinationLineOfBusiness |
rv96 |
string |
Destination (Asset Mgmt) Line of Business |
s_RV96 |
DestinationDivision |
rv97 |
string |
Destination (Asset Mgmt) - Division |
s_RV97 |
DestinationDepartment |
rv98 |
string |
Destination (Asset Mgmt) - Department |
s_RV98 |
DestinationAssetId |
rv99 |
string |
Destination (Asset Mgmt) Destination Asset Id |
s_RV99 |
ReservedVar100 |
rv100 |
string |
Reserved by Novell for expansion (String). |
s_RV100 |
Resource |
res |
string |
The resource name. |
s_Res |
DeviceAttackName |
rt1 |
string |
For use with Advisor. Attack name from Security Device. |
s_RT1 |
Rt2 |
rt2 |
string |
Populated with the correlation rule name when a correlation rule is generates an event. |
s_RT2 |
Rt3 |
rt3 |
integer |
Reserved by Novell for expansion (Number). |
s_RT3 |
SourceHostName |
shn |
string |
The source host name from which the event originated. |
s_SHN |
SourceID |
src |
UUID |
Unique identifier for the Sentinel process that generated this event. |
|
SourceIP |
sip |
IPv4 |
The source IP address from which the event originated |
s_SIP |
SensorName |
sn |
string |
The name of the "ultimate detector" of the event when received in raw data. Example "FW1" for a firewall. |
s_SN |
Severity |
sev |
integer |
The normalized severity of the event (0-5). |
i_Severity |
SourcePort |
sp |
string (32) |
The source port from which the event originated. |
s_SP |
SensorType |
st |
string (5) |
The single character designator for the sensor type (A, N, H, I, O, P, V, C, W). A: Audit C: Correlation H: host-based I: internal (system event) N: network-based O: Other P: performance (system event) V: Anti-virus W: Watchlist |
s_ST |
SourceUserName |
sun |
string |
The source user name used to initiate an event. Example "jdoe" during an attempt to "su". |
s_SUN |
SubResource |
sres |
string |
The sub-resource name. |
s_SubRes |
Vulnerability |
vul |
integer |
The vulnerability of the asset identified in this event. |
s_VULN |
Collector Script |
agent |
string (64) |
Sentinel Collector that generated the event. For system events, Collector will be either Performance or Internal. |
Not Applicable |
Collector |
port |
string (64) |
Sentinel Collector port description. |
Not Applicable |
DeviceEventTime |
det |
Date |
The time that the device reported the event to occur. This is the same value that is in the et field, but has type Date instead of String. This field is needed because the type String is hard to build good Date criteria on. |
Not Applicable |
SentinelProcessTime |
spt |
Date |
The time that Sentinel received the event. This will be the same value of dt, if Trust event time is not selected. |
Not Applicable |
BeginTime |
bgnt |
Date |
The date and time the event started occurring. |
s_BGNT |
EndTime |
endt |
Date |
The date and time the event stopped occurring. |
s_ENDT |
RepeatCount |
rc |
integer |
If the same event occurred repeatedly, and if we are not going to create a separate event for each occurrence, this field will hold the count of how many occurrences of the event occurred. |
s_RC |
DestinationPort |
dpint |
integer |
The destination port to which the event was targeted. |
s_DPINT |
SourcePort |
spint |
integer |
The source port from which the event originated. |
s_SPINT |