Sentinel Event Schema
The Sentinel™ Event Schema is used across all Sentinel products (Sentinel SIEM, Sentinel Log Manager) to describe event activity generated from integrated devices, services, and applications. All inbound event data is normalized to fit into this standard schema, and then events are enhanced with a variety of metadata to contextualize and classify each event.
At the highest level, a Sentinel event follows the XDAS standard model. This model defines three separate actors in any event record connected by an action.
- The Initiator causes the event to occur by taking action against the Target
- The Target is the resource affected by the Action
- The Observer detects the Action taking place and generates an event record to describe it.
All the various Sentinel Event Schema fields fit into one of these four groupings; either they describe the Initiator, the Target, the Observer, or the Action taking place. Within a grouping the fields may describe a complex resource such as a user account residing in a directory hosted by a particular server, or software module running inside a service hosted by a particular server, and so forth. Any particular Sentinel event will be sparsely populated with event data, meaning that some fields will be blank either because the Observer (event source) does not provide complete information, or simply because that field is not relevant for the type of activity being described.
As mentioned, the Observer will provide some set of information in the form of a log record to Sentinel's data collection components; those components will parse the inbound data, extract all relevant pieces of information, and normalize that data into the standard Sentinel Event Schema. The Collector which parses the log record data may also inject additional information that it can determine from vendor documentation, knowledge of context, or similar sources.
Subsequently the event is then processed by the Collector Manager engine, which will inject additional metadata to describe how and when Sentinel processed the event data. Finally, for SIEM platforms only, the Collector Manager will also pass the event through the Mapping service which may apply additional contextual metadata such as identity, host, vulnerability, or custom mapped metadata.
This page lists all fields in current usage and indicates which platforms include that field. Select a given row to see additional details.
| Tag Name | Label | Description | |||
|---|---|---|---|---|---|
Loading Schema Fields |
|||||
Please contact us if you have trouble viewing or downloading files from this page.