Collector |
port |
Name of the Collector that generated this event. |
|
|
|
CollectorId |
rv22 |
Unique identifier for the Collector which generated this event. |
|
|
|
CollectorManagerId |
rv21 |
Unique identifier for the Collector Manager which generated this event. |
|
|
|
CollectorScript |
agent |
The name of the Collector Script used by the Collector to generate this event. |
Y |
|
Y |
ConnectorId |
rv23 |
Unique identifier for the Connector which generated this event. |
|
|
|
ControlMonitor |
rv27 |
Control categorization - level 2 |
Y |
|
|
ControlPack |
rv26 |
Control categorization - level 1 |
Y |
|
|
CorrelatedEventUuids |
ceu |
List of event UUIDs associated with this correlated event. Only relevant for correlated events. |
|
|
|
Criticality |
crt |
The criticality of the asset identified in this event. |
|
|
|
Ct1 |
ct1 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
Ct2 |
ct2 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
Ct3 |
ct3 |
Reserved for use by customers for customer-specific data. (Number) |
|
|
|
CustomerHierarchyId |
rv1 |
Customer Hierarchy Id |
|
|
|
CustomerHierarchyLevel1 |
rv49 |
Customer Hierarchy Level 1 |
Y |
|
|
CustomerHierarchyLevel2 |
rv54 |
Customer Hierarchy Level 2 |
|
|
|
CustomerHierarchyLevel3 |
rv55 |
Customer Hierarchy Level 3 |
|
|
|
CustomerHierarchyLevel4 |
rv100 |
Customer Hierarchy Level 4 |
|
|
|
CustomerVar1-CustomerVar10 |
cv1-10 |
Reserved for use by customers for customer-specific data. (Number) |
Y |
|
Y |
CustomerVar100 |
cv100 |
Reserved for use by customers for customer-specific data. (String) |
|
|
|
CustomerVar101-CustomerVar130 |
cv101-130 |
Reserved for use by customers for customer-specific data. (Integer; Stored in DB) |
|
|
|
CustomerVar11-CustomerVar20 |
cv11-20 |
Reserved for use by customers for customer-specific data. (Date) |
Y |
|
|
CustomerVar131-140 |
cv131-140 |
Reserved for use by customers for customer-specific data. (IPv4; Stored in DB) |
Y |
|
|
CustomerVar141-150 |
cv141-150 |
Reserved for use by customers for customer-specific data. (String; Stored in DB) |
Y |
|
|
CustomerVar151-160 |
cv151-160 |
Reserved for use by customers for customer-specific data. (Integer; Not stored in DB) |
Y |
|
|
CustomerVar161-170 |
cv161-170 |
Reserved for use by customers for customer-specific data. (Date; Not stored in DB) |
Y |
|
|
CustomerVar171-180 |
cv171-180 |
Reserved for use by customers for customer-specific data. (UUID; Not stored in DB) |
Y |
|
|
CustomerVar181-190 |
cv181-190 |
Reserved for use by customers for customer-specific data. (IPv4; Not stored in DB) |
Y |
|
|
CustomerVar191-200 |
cv191-200 |
Reserved for use by customers for customer-specific data. (String; Not stored in DB) |
Y |
|
|
CustomerVar21-99 |
cv21-99 |
Reserved for use by customers for customer-specific data. (String) |
Y |
|
|
DataCotext |
rv36 |
Container for the FileName data object (for example, a directory for a file or a database instance for a database table) |
Y |
|
Y |
DataTagId |
rv3 |
An Id for user-defined event tagging. |
|
|
|
DataValue43 |
rv43 |
Data Value. (String) |
Y |
|
|
DeviceCategory |
rv32 |
Device category (FW, IDS, AV, OS, DB). |
|
|
|
DeviceName |
rv31 |
The name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. (String) |
Y |
Y |
|
EffectiveUserDomain |
eudom |
The domain (namespace) in which the effective user account exists. |
|
|
Y |
EffectiveUserID |
euid |
Numerical ID of the user that the InitUser is impersonating (root using su, for example), based on the raw data reported by the device. |
|
|
Y |
EffectiveUserName |
euname |
The name of the account that is effectively being used. |
|
|
Y |
EventContext |
rv33 |
Event context (threat level). |
Y |
|
|
EventGroupID |
evtgrpid |
A source-specific identifier to group multiple related events together. |
|
|
Y |
EventMetric |
rv2 |
An event-dependent numeric value. |
|
|
Y |
EventMetricClass |
rv28 |
The class of the event-dependent numeric value. |
|
|
|
EventName |
evt |
The descriptive name of the event as reported (or given) by the sensor. Example Port Scan. |
Y |
Y |
Y |
EventSourceId |
rv24 |
Unique identifier for the Event Source which generated this event. |
|
|
Y |
ExtendedInformation |
ei |
Stores additional Collector processed information. Values within this variable are separated by semi-colons (). |
Y |
|
Y |
FISMA |
cv93 |
Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation via an asset map. (String) |
|
|
|
GLBA |
cv92 |
Set to 1 if the asset is governed by the Gramm-Leach Bliley Act regulation via an asset map. (String) |
|
|
|
HIPAA |
cv91 |
Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation via an asset map. (String) |
|
|
|
InitFunction |
rv37 |
Initiator function. |
Y |
|
|
InitHostDomain |
rv42 |
The domain portion of the initiating system's fully-qualified hostname. |
|
Y |
Y |
InitHostName |
shn |
The unqualified host name of the initiating system. |
|
Y |
Y |
InitIP |
sip |
The IPv4 address of the initiating system. |
|
|
Y |
InitIPCountry |
rv29 |
The country where the IPv4 address of the initiating system is located. |
Y |
|
|
InitOperationalContext |
rv38 |
Initiator operational context. |
Y |
|
|
InitServiceComp |
isvcc |
The subcomponent of the initiating service that caused this event. |
Y |
|
|
InitServiceName |
sp |
The name of the initiating service that caused this event. |
|
|
Y |
InitServicePort |
spint |
The port used by the service/application that initiated the connection. |
|
|
Y |
InitThreatLevel |
rv34 |
Initiator threat level. |
|
|
|
InitUserDepartment |
iudep |
The department of the identity associated with the initiating account. |
Y |
|
|
InitUserDomain |
rv35 |
The domain (namespace) in which the initiating account exists. |
|
Y |
|
InitUserFullName |
iufname |
The full name of the identity associated with the initiating account. |
Y |
Y |
Y |
InitUserID |
iuid |
The initiating account's source-specific identifier as determined by the Collector based on raw device data. |
|
|
Y |
InitUserIdentity |
iuident |
The internal UUID of the identity associated with the initiating account. |
|
|
|
InitUserName |
sun |
The initiating user's account name (SourceUsername). |
|
Y |
Y |
Message |
msg |
Free-form message text for the event. |
|
Y |
Y |
MSSPCustomerName |
rv39 |
Name of the MSSP customer. |
|
|
|
NISPOM |
cv94 |
Set to 1 if the asset is governed by National Industrial Security Program Operating Manual (NISPOM) regulation via an asset map. (String) |
|
|
|
ObserverChannel |
rv150 |
The channel on which the observer delivered the event, for multi-channel protocols. An example would be the syslog facility. (String; Stored in DB) |
|
|
Y |
ObserverHostDomain |
obsdom |
The domain portion of the observer's (sensor) fully qualified hostname. |
|
|
Y |
ObserverHostName |
sn |
The unqualified hostname of the observer of the event (SensorName). |
|
|
Y |
ObserverIP |
obsip |
The IP address of the observer (sensor) that detected the event. |
|
|
Y |
ProductName |
pn |
Indicates the type, vendor and product code name of the sensor from which the event was generated. |
Y |
Y |
Y |
Protocol |
prot |
The protocol used between the initiating and target services. |
|
|
Y |
RepeatCount |
rc |
The number of times the same event occurred if multiple occurrences were consolidated. |
|
|
Y |
ReporterHostDomain |
repdom |
The domain portion of the reporter's fully qualified hostname. |
|
|
Y |
ReporterHostName |
rn |
The unqualified hostname of the reporter of the event (ReporterName). |
|
|
Y |
ReporterIP |
repip |
The IP address of the reporter, i.e. the system that delivered the event to this server. |
|
|
Y |
Resource |
res |
The resource name. |
|
|
|
RetentionPolicyConflict |
rv101 |
Set to 1 (true) if more than one retention policy matched this event but only one was chosen. (Integer; Stored in DB) |
|
|
Y |
SARBOX |
cv90 |
Set to 1 if the asset is governed by Sarbanes-Oxley via an asset map. (String) |
|
|
|
SensorType |
st |
The single character designator for the sensor type (N, H, O, V, C, W, A, I). |
|
|
|
SentinelServiceID |
src |
Unique identifier for the Sentinel service which generated this event. |
|
|
|
Severity |
sev |
The normalized severity of the event (0-5). |
|
Y |
Y |
SubResource |
sres |
The sub-resource name. |
Y |
|
|
Tags |
rv145 |
A comma separated list of tags (such as PCI) applied to the event. |
Y |
|
Y |
TargetDataName |
fn |
The name of the data object (file, database table, directory object, etc) that was affected by this event. |
|
|
Y |
TargetFunction |
rv47 |
Target function. |
Y |
|
|
TargetHostDomain |
rv41 |
The domain portion of the target system's fully-qualified hostname. |
|
Y |
Y |
TargetHostName |
dhn |
The unqualified hostname of the target system. |
|
Y |
Y |
TargetIP |
dip |
The IPv4 address of the target system. |
|
|
Y |
TargetIPCountry |
rv30 |
The country where the IPv4 address of the target system is located. |
Y |
|
|
TargetOperationalContext |
rv48 |
Target operational context. |
Y |
|
|
TargetServiceComp |
tsvcc |
The subcomponent of the target service affected by this event. |
Y |
|
|
TargetServiceName |
dp |
The name of the target service affected by this event. |
|
|
Y |
TargetServicePort |
dpint |
The network port accessed on the target. |
|
|
Y |
TargetThreatLevel |
rv44 |
Target threat level. |
|
|
|
TargetTrustDomain |
ttd |
The domain (namespace) within which the target trust exists. |
|
|
|
TargetTrustID |
ttid |
The source-specific identifier of the trust (group, role, profile, etc) affected. |
|
|
|
TargetTrustName |
ttn |
The name of the trust (group, role, profile, etc) affected. |
|
|
|
TargetUserDepartment |
tudep |
The department of the identity associated with the target account. |
Y |
|
|
TargetUserDomain |
rv45 |
The domain (namespace) in which the target account exists. |
|
|
Y |
TargetUserFullName |
tufname |
The full name of the identity associated with the target account. |
Y |
|
|
TargetUserID |
tuid |
The target account's source-specific identifier as determined by the Collector based on raw device data. |
|
|
Y |
TargetUserIdentity |
tuident |
The internal UUID of the identity associated with the target account. |
|
|
|
TargetUserName |
dun |
The target user's account name (DestinationUsername). |
|
Y |
Y |
TaxonomyLevel1 |
rv50 |
Event code categorization - level 1. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
TaxonomyLevel2 |
rv51 |
Event code categorization - level 2. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
TaxonomyLevel3 |
rv52 |
Event code categorization - level 3. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
TaxonomyLevel4 |
rv53 |
Event code categorization - level 4. Displayed under the event name in the format:
TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4 |
Y |
Y |
Y |
VendorEventCode |
rv40 |
Event code reported by device vendor. (String) |
|
|
|
VirusStatus |
rv46 |
Virus status. |
|
|
|
Vulnerability |
vul |
The vulnerability of the asset identified in this event. |
|
|
|
XDASClass |
xdasclass |
The XDAS Event Class ID; refer to XDAS specification. |
|
|
|
XDASDetail |
xdasdetail |
The XDAS outcome detail; refer to XDAS specification. |
|
|
|
XDASIdentifier |
xdasid |
The XDAS Event Identifier; refer to XDAS specification. |
|
|
|
XDASOutcome |
xdasoutcome |
The XDAS major outcome; success, failure, or denial. |
|
|
|
XDASOutcomeName |
xdasoutcomename |
Human-readable XDAS outcome. |
Y |
Y |
|
XDASProvider |
xdasprov |
The XDAS Provider ID; refer to XDAS specification. |
|
|
|
XDASRegistry |
xdasreg |
The XDAS Registry ID; refer to XDAS specification. |
|
|
|
XDASTaxonomyName |
xdastaxname |
Human-readable XDAS event taxonomy string. |
Y |
Y |
|