Each event has its own fields. Based on the type of event, some fields in an event might not be populated. The values for these event fields can be viewed by using a search or running a report. Each field has a short name that is used in advanced searches. The values for most of these fields are visible in the detailed event view; other values are visible in the basic event view.
NOTE:The taxonomy values that you can search for the TaxonomyLevel* and XDAS* fields are documented at the Sentinel Taxonomy Web page.
Some fields are tokenized. Tokenizing also makes it possible to search for an individual word in the field without a wildcard. The fields are tokenized based on spaces and other special characters. For these fields, articles such as “a” or “the” is removed from the search index.
Tokenized fields are marked in the following table and these fields are not case-sensitive while performing a search.
NOTE:In addition to the below mentioned tokenized field, if you do a search without specifying a field name (full text search), that search will be performed tokenized (not case-sensitive).
Table E-1 Event Fields
Field |
Short Name |
Description |
Tokenized |
Visible in Basic View |
Visible in Detailed View |
---|---|---|---|---|---|
Collector |
port |
Name of the Collector that generated this event. |
|
||
CollectorId |
rv22 |
Unique identifier for the Collector which generated this event. |
|
||
CollectorManagerId |
rv21 |
Unique identifier for the Collector Manager which generated this event. |
|
||
CollectorScript |
agent |
The name of the Collector Script used by the Collector to generate this event. |
Y |
Y |
|
ConnectorId |
rv23 |
Unique identifier for the Connector which generated this event. |
|
||
ControlMonitor |
rv27 |
Control categorization - level 2 |
Y |
||
ControlPack |
rv26 |
Control categorization - level 1 |
Y |
||
CorrelatedEventUuids |
ceu |
List of event UUIDs associated with this correlated event. Only relevant for correlated events. |
|
|
|
Criticality |
crt |
The criticality of the asset identified in this event. |
|
|
|
Ct1 |
ct1 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
Ct2 |
ct2 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
Ct3 |
ct3 |
Reserved for use by customers for customer-specific data. (Number) |
|
|
|
CustomerHierarchyId |
rv1 |
Customer Hierarchy Id |
|
|
|
CustomerHierarchyLevel1 |
rv49 |
Customer Hierarchy Level 1 |
Y |
|
|
CustomerHierarchyLevel2 |
rv54 |
Customer Hierarchy Level 2 |
|
|
|
CustomerHierarchyLevel3 |
rv55 |
Customer Hierarchy Level 3 |
|
|
|
CustomerHierarchyLevel4 |
rv100 |
Customer Hierarchy Level 4 |
|
|
|
CustomerVar1-CustomerVar10 |
cv1-10 |
Reserved for use by customers for customer-specific data. (Number) |
Y |
|
Y |
CustomerVar100 |
cv100 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
CustomerVar101-CustomerVar130 |
cv101-130 |
Reserved for use by customers for customer-specific data. (Integer; Stored in DB) |
|
|
|
CustomerVar11-CustomerVar20 |
cv11-20 |
Reserved for use by customers for customer-specific data. (Date) |
Y |
||
CustomerVar131-140 |
cv131-140 |
Reserved for use by customers for customer-specific data. (IPv4; Stored in DB) |
Y |
||
CustomerVar141-150 |
cv141-150 |
Reserved for use by customers for customer-specific data. (String; Stored in DB) |
Y |
||
CustomerVar151-160 |
cv151-160 |
Reserved for use by customers for customer-specific data. (Integer; Not stored in DB) |
Y |
||
CustomerVar161-170 |
cv161-170 |
Reserved for use by customers for customer-specific data. (Date; Not stored in DB) |
Y |
||
CustomerVar171-180 |
cv171-180 |
Reserved for use by customers for customer-specific data. (UUID; Not stored in DB) |
Y |
||
CustomerVar181-190 |
cv181-190 |
Reserved for use by customers for customer-specific data. (IPv4; Not stored in DB) |
Y |
||
CustomerVar191-200 |
cv191-200 |
Reserved for use by customers for customer-specific data. (String; Not stored in DB) |
Y |
||
CustomerVar21-99 |
cv21-99 |
Reserved for use by customers for customer-specific data. (String) |
Y |
||
DataCotext |
rv36 |
Container for the FileName data object (for example, a directory for a file or a database instance for a database table) |
Y |
Y |
|
DataTagId |
rv3 |
An Id for user-defined event tagging. |
|
||
DataValue43 |
rv43 |
Data Value. (String) |
Y |
||
DeviceCategory |
rv32 |
Device category (FW, IDS, AV, OS, DB). |
|
||
DeviceName |
rv31 |
The name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. (String) |
Y |
Y |
|
EffectiveUserDomain |
eudom |
The domain (namespace) in which the effective user account exists. |
|
|
Y |
EffectiveUserID |
euid |
Numerical ID of the user that the InitUser is impersonating (root using su, for example), based on the raw data reported by the device. |
|
|
Y |
EffectiveUserName |
euname |
The name of the account that is effectively being used. |
|
Y |
|
EventContext |
rv33 |
Event context (threat level). |
Y |
||
EventGroupID |
evtgrpid |
A source-specific identifier to group multiple related events together. |
|
Y |
|
EventMetric |
rv2 |
An event-dependent numeric value. |
|
Y |
|
EventMetricClass |
rv28 |
The class of the event-dependent numeric value. |
|
||
EventName |
evt |
The descriptive name of the event as reported (or given) by the sensor. Example Port Scan. |
Y |
Y |
Y |
EventSourceId |
rv24 |
Unique identifier for the Event Source which generated this event. |
|
Y |
|
ExtendedInformation |
ei |
Stores additional Collector processed information. Values within this variable are separated by semi-colons (). |
Y |
Y |
|
FISMA |
cv93 |
Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation via an asset map. (String) |
|
||
GLBA |
cv92 |
Set to 1 if the asset is governed by the Gramm-Leach Bliley Act regulation via an asset map. (String) |
|
||
HIPAA |
cv91 |
Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation via an asset map. (String) |
|
||
InitFunction |
rv37 |
Initiator function. |
Y |
||
InitHostDomain |
rv42 |
The domain portion of the initiating system's fully-qualified hostname. |
|
Y |
Y |
InitHostName |
shn |
The unqualified host name of the initiating system. |
|
Y |
Y |
InitIP |
sip |
The IPv4 address of the initiating system. |
|
|
Y |
InitIPCountry |
rv29 |
The country where the IPv4 address of the initiating system is located. |
Y |
||
InitOperationalContext |
rv38 |
Initiator operational context. |
Y |
||
InitServiceComp |
isvcc |
The subcomponent of the initiating service that caused this event. |
Y |
||
InitServiceName |
sp |
The name of the initiating service that caused this event. |
|
|
Y |
InitServicePort |
spint |
The port used by the service/application that initiated the connection. |
|
|
Y |
InitThreatLevel |
rv34 |
Initiator threat level. |
|
||
InitUserDepartment |
iudep |
The department of the identity associated with the initiating account. |
Y |
||
InitUserDomain |
rv35 |
The domain (namespace) in which the initiating account exists. |
|
Y |
|
InitUserFullName |
iufname |
The full name of the identity associated with the initiating account. |
Y |
Y |
Y |
InitUserID |
iuid |
The initiating account's source-specific identifier as determined by the Collector based on raw device data. |
|
|
Y |
InitUserIdentity |
iuident |
The internal UUID of the identity associated with the initiating account. |
|
|
|
InitUserName |
sun |
The initiating user's account name (SourceUsername). |
|
Y |
Y |
Message |
msg |
Free-form message text for the event. |
Y |
Y |
|
MSSPCustomerName |
rv39 |
Name of the MSSP customer. |
|||
NISPOM |
cv94 |
Set to 1 if the asset is governed by National Industrial Security Program Operating Manual (NISPOM) regulation via an asset map. (String) |
|
||
ObserverChannel |
rv150 |
The channel on which the observer delivered the event, for multi-channel protocols. An example would be the syslog facility. (String; Stored in DB) |
|
Y |
|
ObserverHostDomain |
obsdom |
The domain portion of the observer's (sensor) fully qualified hostname. |
|
|
Y |
ObserverHostName |
sn |
The unqualified hostname of the observer of the event (SensorName). |
|
|
Y |
ObserverIP |
obsip |
The IP address of the observer (sensor) that detected the event. |
|
|
Y |
ProductName |
pn |
Indicates the type, vendor and product code name of the sensor from which the event was generated. |
Y |
Y |
Y |
Protocol |
prot |
The protocol used between the initiating and target services. |
|
Y |
|
RepeatCount |
rc |
The number of times the same event occurred if multiple occurrences were consolidated. |
|
Y |
|
ReporterHostDomain |
repdom |
The domain portion of the reporter's fully qualified hostname. |
|
|
Y |
ReporterHostName |
rn |
The unqualified hostname of the reporter of the event (ReporterName). |
Y |
||
ReporterIP |
repip |
The IP address of the reporter, i.e. the system that delivered the event to this server. |
|
|
Y |
Resource |
res |
The resource name. |
|
||
RetentionPolicyConflict |
rv101 |
Set to 1 (true) if more than one retention policy matched this event but only one was chosen. (Integer; Stored in DB) |
Y |
||
SARBOX |
cv90 |
Set to 1 if the asset is governed by Sarbanes-Oxley via an asset map. (String) |
|
||
SensorType |
st |
The single character designator for the sensor type (N, H, O, V, C, W, A, I). |
|
|
|
SentinelServiceID |
src |
Unique identifier for the Sentinel service which generated this event. |
|
||
Severity |
sev |
The normalized severity of the event (0-5). |
|
Y |
Y |
SubResource |
sres |
The sub-resource name. |
Y |
||
Tags |
rv145 |
A comma separated list of tags (such as PCI) applied to the event. |
Y |
Y |
|
TargetDataName |
fn |
The name of the data object (file, database table, directory object, etc) that was affected by this event. |
|
Y |
|
TargetFunction |
rv47 |
Target function. |
Y |
||
TargetHostDomain |
rv41 |
The domain portion of the target system's fully-qualified hostname. |
|
Y |
Y |
TargetHostName |
dhn |
The unqualified hostname of the target system. |
|
Y |
Y |
TargetIP |
dip |
The IPv4 address of the target system. |
|
|
Y |
TargetIPCountry |
rv30 |
The country where the IPv4 address of the target system is located. |
Y |
||
TargetOperationalContext |
rv48 |
Target operational context. |
Y |
||
TargetServiceComp |
tsvcc |
The subcomponent of the target service affected by this event. |
Y |
||
TargetServiceName |
dp |
The name of the target service affected by this event. |
|
|
Y |
TargetServicePort |
dpint |
The network port accessed on the target. |
|
|
Y |
TargetThreatLevel |
rv44 |
Target threat level. |
|
||
TargetTrustDomain |
ttd |
The domain (namespace) within which the target trust exists. |
|
|
|
TargetTrustID |
ttid |
The source-specific identifier of the trust (group, role, profile, etc) affected. |
|
|
|
TargetTrustName |
ttn |
The name of the trust (group, role, profile, etc) affected. |
|
|
|
TargetUserDepartment |
tudep |
The department of the identity associated with the target account. |
Y |
||
TargetUserDomain |
rv45 |
The domain (namespace) in which the target account exists. |
|
Y |
|
TargetUserFullName |
tufname |
The full name of the identity associated with the target account. |
Y |
||
TargetUserID |
tuid |
The target account's source-specific identifier as determined by the Collector based on raw device data. |
|
|
Y |
TargetUserIdentity |
tuident |
The internal UUID of the identity associated with the target account. |
|
||
TargetUserName |
dun |
The target user's account name (DestinationUsername). |
|
Y |
Y |
TaxonomyLevel1 |
rv50 |
Event code categorization - level 1. Displayed under the event name in the format: TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
TaxonomyLevel2 |
rv51 |
Event code categorization - level 2. Displayed under the event name in the format: TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
TaxonomyLevel3 |
rv52 |
Event code categorization - level 3. Displayed under the event name in the format: TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
TaxonomyLevel4 |
rv53 |
Event code categorization - level 4. Displayed under the event name in the format: TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
VendorEventCode |
rv40 |
Event code reported by device vendor. (String) |
|
||
VirusStatus |
rv46 |
Virus status. |
|
||
Vulnerability |
vul |
The vulnerability of the asset identified in this event. |
|
||
XDASClass |
xdasclass |
The XDAS Event Class ID; refer to XDAS specification. |
|
||
XDASDetail |
xdasdetail |
The XDAS outcome detail; refer to XDAS specification. |
|
||
XDASIdentifier |
xdasid |
The XDAS Event Identifier; refer to XDAS specification. |
|
||
XDASOutcome |
xdasoutcome |
The XDAS major outcome; success, failure, or denial. |
|
||
XDASOutcomeName |
xdasoutcomename |
Human-readable XDAS outcome. |
Y |
Y |
|
XDASProvider |
xdasprov |
The XDAS Provider ID; refer to XDAS specification. |
|
||
XDASRegistry |
xdasreg |
The XDAS Registry ID; refer to XDAS specification. |
|
||
XDASTaxonomyName |
xdastaxname |
Human-readable XDAS event taxonomy string. |
Y |
Y |