DeviceEventTimeString |
e.et |
%et% |
s_ET |
string |
The normalized date and time of the event, as reported by the sensor. |
DeviceEventTime |
e.det |
%det% |
|
date |
The normalized date and time of the event, as reported by the sensor. |
SentinelProcessTime |
e.spt |
%spt% |
|
date |
The date and time Sentinel received the event. |
BeginTime |
e.bgnt |
%bgnt% |
s_BGNT |
date |
The date and time the event started occurring (for repeated events). |
EndTime |
e.endt |
%endt% |
s_ENDT |
date |
The date and time the event stopped occurring (for repeated events). |
RepeatCount |
e.rc |
%rc% |
s_RC |
integer |
The number of times the same event occurred if multiple occurrences were consolidated. |
EventTime |
e.dt |
%dt% |
|
date |
The normalized date and time of the event, as given by the Collector. |
SentinelServiceID |
e.src |
%src% |
|
UUID |
Unique identifier for the Sentinel service which generated this event. |
Severity |
e.sev |
%sev% |
i_Severity |
integer |
The normalized severity of the event (0-5). |
Vulnerability |
e.vul |
%vul% |
s_VULN |
integer |
The vulnerability of the asset identified in this event. Set to 1 if Sentinel detects an exploit against a vulnerable system. Requires Advisor. |
Criticality |
e.crt |
%crt% |
s_CRIT |
integer |
The criticality of the asset identified in this event. |
InitIP |
e.sip |
%sip% |
s_SIP |
IPv4 |
IPv4 address of the initiating system. |
TargetIP |
e.dip |
%dip% |
s_DIP |
IPv4 |
IPv4 address of the target system. |
Collector |
e.port |
%port% |
|
string |
Name of the Collector that generated this event. |
CollectorScript |
e.agent |
%agent% |
|
string |
The name of the Collector Script used by the Collector to generate this event. |
Resource |
e.res |
%res% |
s_Res |
string |
Compliance monitoring hierarchy level 1 |
SubResource |
e.sres |
%sres% |
s_SubRes |
string |
Subresource name |
ObserverHostName |
e.sn |
%sn% |
s_SN |
string |
Unqualified hostname of the observer (sensor) of the event. |
SensorType |
e.st |
%st% |
s_ST |
string |
The single character designator for the sensor type (N, H, O, V, C, W, A, I, P, T).
|
Protocol |
e.prot |
%prot% |
s_P |
string |
Protocol used between initiating and target services. |
InitHostName |
e.shn |
%shn% |
s_SHN |
string |
Unqualified hostname of the initiating system. |
InitServicePort |
e.spint |
%spint% |
s_SPINT |
integer |
Port used by service/application that initiated the connection. |
InitServicePortName |
e.sp |
%sp% |
s_SP |
string |
Name of the initiating service that caused the event. |
TargetHostName |
e.dhn |
%dhn% |
s_DHN |
string |
Unqualified hostname of the target system. |
TargetServicePort |
e.dpint |
%dpint% |
s_DPINT |
integer |
Network port accessed on the target. |
TargetServicePortName |
e.dp |
%dp% |
s_DP |
string |
Name of the target service affected by this event. |
InitUserName |
e.sun |
%sun% |
s_SUN |
string |
Initiating user's account name. Example jdoe during an attempt to su. |
TargetUserName |
e.dun |
%dun% |
s_DUN |
string |
Target user's account name. Example root during a password reset. |
FileName |
e.fn |
%fn% |
s_FN |
string |
The name of the program executed or the file accessed, modified or affected. |
ExtendedInformation |
e.ei |
%ei% |
s_EI |
string |
Stores additional collector-processed information. Values within this variable are separated by semi-colons (;). |
ReporterHostName |
e.rn |
%rn% |
s_RN |
string |
Unqualified hostname of the reporter of the event. |
ProductName |
e.pn |
%pn% |
s_PN |
string |
Indicates the type, vendor and product code name of the sensor from which the event was generated. |
Message |
e.msg |
%msg% |
s_BM |
string |
Free-form message text for the event. |
DeviceAttackName |
e.rt1 |
%rt1% |
s_RT1 |
string |
Device specific attack name that matches attack name known by Advisor. Used in Exploit Detection. |
Rt2 |
e.rt2 |
%rt2% |
s_RT2 |
string |
The name of the Correlation rule that triggered the generation of the event; only set when the event was generated by the Correlation Engine. |
Ct1 thru Ct2 |
e.ct1 thru e.ct2 |
%ct1% thru %ct2% |
s_CT1
and
s_CT2 |
string |
Reserved for use by customers for customer-specific data. |
Rt3 |
e.rt3 |
%rt3% |
|
integer |
Reserved by Novell for expansion. |
Ct3 |
e.ct3 |
%ct3% |
s_CT3 |
integer |
Reserved for use by customers for customer-specific data. |
CorrelatedEventUuids |
e.ceu |
%ceu% |
s_RT3 |
string |
List of event UUIDs associated with the correlated event. Only relevant for correlated events. |
CustomerHierarchyId |
e.rv1 |
%rv1% |
s_RV1 |
integer |
Used for MSSPs. |
ReservedVar2 thru
ReservedVar10 |
e.rv2 thru
e.rv10 |
%rv2% thru
%rv10% |
s_RV2
thru
s_RV10 |
integer |
Reserved by Novell for expansion. |
ReservedVar11 thru
ReservedVar20 |
e.rv11 thru
e.rv20 |
%rv11% thru
%rv20% |
s_RV11
thru
s_RV20 |
date |
Reserved by Novell for expansion. |
CollectorManagerId |
e.rv21 |
%rv21% |
s_RV21 |
UUID |
Unique identifier for the Collector Manager which generated this event. |
CollectorId |
e.rv22 |
%rv22% |
s_RV22 |
UUID |
Unique identifier for the Collector which generated this event. |
ConnectorId |
e.rv23 |
%rv23% |
S_RV23 |
UUID |
Unique identifier for the Connector which generated this event. |
EventSourceId |
e.rv24 |
%rv24% |
S_RV24 |
UUID |
Unique identifier for the Event Source which generated this event. |
RawDataRecordId |
e.rv25 |
%rv25% |
S_RV25 |
UUID |
Unique identifier for the Raw Data Record associated with this event. |
ControlPack |
e.rv26 |
%rv26% |
S_RV26 |
string |
Sentinel control categorization level 1 (for Solution Packs). |
EventMetricClass |
e.rv28 |
%rv28% |
s_RV28 |
string |
Class of the event-dependent numeric value. |
InitIPCountry |
e.rv29 |
%rv29% |
s_RV29 |
string |
Country where the IPv4 address of the initiating system is located. |
TargetIPCountry |
e.rv30 |
%rv30% |
s_RV30 |
string |
Country where the IPv4 address of the target system is located. |
DeviceName |
e.rv31 |
%rv31% |
s_RV31 |
string |
Name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. Used in Exploit Detection. |
DeviceCategory |
e.rv32 |
%rv32% |
s_RV32 |
string |
Device category (FW, IDS, AV, OS, DB). |
EventContext |
e.rv33 |
%rv33% |
s_RV33 |
string |
Event context (threat level). |
InitThreatLevel |
e.rv34 |
%rv34% |
s_RV34 |
string |
Initiator threat level. |
InitUserDomain |
e.rv35 |
%rv35% |
s_RV35 |
string |
Domain (namespace) in which the initiating account exists. |
DataContext |
e.rv36 |
%rv36% |
s_RV36 |
string |
Data context. |
InitFunction |
e.rv37 |
%rv37% |
s_RV37 |
string |
Initiator function. |
InitOperationalContext |
e.rv38 |
%rv38% |
s_RV38 |
string |
Initiator operational context. |
MSSPCustomerName |
e.rv39 |
%rv39% |
s_RV39 |
string |
MSSP customer name. |
VendorEventCode |
e.rv40 |
%rv40% |
s_RV40 |
string |
Event code reported by device vendor. |
TargetHostDomain |
e.rv41 |
%rv41% |
s_RV41 |
string |
Domain portion of the target system's fully-qualified hostname. |
InitDomain |
e.rv42 |
%rv42% |
s_RV42 |
string |
Domain portion of the initiating system's fully-qualified hostname. |
ReservedVar43 |
e.rv43 |
%rv43% |
s_RV43 |
string |
Reserved by Novell for expansion. |
TargetThreatLevel |
e.rv44 |
%rv44% |
s_RV44 |
string |
Target threat level. |
TargetUserDomain |
e.rv45 |
%rv45% |
s_RV45 |
string |
Domain (namespace) in which the target account exists. |
VirusStatus |
e.rv46 |
%rv46% |
s_RV46 |
string |
Virus status. |
TargetFunction |
e.rv47 |
%rv47% |
s_RV47 |
string |
Target function. |
TargetOperationalContext |
e.rv48 |
%rv48% |
s_RV48 |
string |
Target operational context. |
TaxonomyLevel4 |
e.rv53 |
%rv53% |
s_RV53 |
string |
Sentinel event code categorization - level 4. |
CustomerHierarchyLevel2 |
e.rv54 |
%rv54% |
s_RV54 |
string |
Customer Hierarchy Level 2 (used by MSSPs). |
VirusStatus |
e.rv56 |
%rv56% |
s_RV56 |
string |
Virus Status. |
InitMacAddress |
e.rv57 |
%rv57% |
s_RV57 |
string |
Initiator Mac Address. Part of initiator host asset data. |
InitNetworkIdentity |
e.rv58 |
%rv58% |
s_RV58 |
string |
Initiator Network Identity. Part of initiator host asset data. |
InitAssetFunction |
e.rv60 |
%rv60% |
s_RV60 |
string |
Function of the initiating system (fileserver, webserver, etc.). |
InitAssetValue |
e.rv61 |
%rv61% |
s_RV61 |
string |
Initiator Asset Value. Part of initiator host asset data. |
InitAssetCriticality |
e.rv62 |
%rv62% |
s_RV62 |
string |
Criticality of the initiating system (0-5). |
Variables reserved for future use by Novell |
e.rv63 thru e.rv75 |
%rv63% thru %rv75% |
s_RV63 thru s_rv75 |
string |
Variables not currently in use |
InitAssetDepartment |
e.rv76 |
%rv76% |
s_RV76 |
string |
Department of the initiating system. |
InitAssetId |
e.rv77 |
%rv77% |
s_RV77 |
string |
Internal asset identifier of the initiator. |
Variables reserved for future use by Novell |
e.rv78 thru e.rv80 |
%rv78% thru %rv80% |
s_RV78 thru s_rv80 |
string |
Variables not currently in use |
TargetAssetClass |
e.rv81 |
%rv81% |
s_RV81 |
string |
Class of the target system (desktop, server, etc.). |
TargetAssetFunction |
e.rv82 |
%rv82% |
s_RV82 |
string |
Function of the target system (fileserver, webserver, etc.). |
TargetAssetValue |
e.rv83 |
%rv83% |
s_RV83 |
string |
Target Asset Value. Part of target host asset data. |
Variables reserved for future use by Novell |
e.rv84 thru e.rv97 |
%rv84% thru %rv97% |
s_RV84 thru s_rv97 |
string |
Variables not currently in use. |
TargetDepartment |
e.rv98 |
%rv98% |
s_RV98 |
string |
Target Department. Part of target host asset data. |
TargetAssetId |
e.rv99 |
%rv99% |
s_RV99 |
string |
Internal asset identifier of the target. |
CustomerHierarchyLevel4 |
e.rv100 |
%rv100% |
s_RV100 |
string |
Customer Hierarchy Level 4 (used by MSSPs) |
Variables reserved for future use by Novell |
e.rv101 thru e.rv200 |
%rv101% thru %rv200% |
s_rv101 thru s_rv200 |
various |
Variables not currently in use |
CustomerVar1
thru
CustomerVar10 |
e.cv1 thru e.cv10 |
%cv1% thru %cv10% |
s_CV1
thru
s_CV10 |
integer |
Number variable reserved for customer use. Stored in database. |
CustomerVar11 thru
CustomerVar20 |
e.cv11 thru
e.cv20 |
%cv11% thru
%cv20% |
s_CV11
thru
s_CV20 |
date |
Date variable reserved for customer use. Stored in database. |
CustomerVar21 thru
CustomerVar89 |
e.cv21 thru
e.cv89 |
%cv21% thru
%cv89% |
s_CV21
thru
s_CV29 |
string |
String variable reserved for customer use. Stored in database. |
SARBOX |
e.cv90 |
%cv90% |
s_CV90 |
string |
Set to 1 if the asset is governed by Sarbanes-Oxley. |
HIPAA |
e.cv91 |
%cv91% |
s_CV91 |
string |
Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act (HIPAA) regulation. |
GLBA |
e.cv92 |
%cv92% |
s_CV92 |
string |
Set to 1 if the asset is governed by the Gramm-Leach Bliley Act (GLBA) regulation. |
FISMA |
e.cv93 |
%cv93% |
s_CV93 |
string |
Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation. |
NISPOM |
e.cv94 |
%cv94% |
s_CV94 |
string |
Set to 1 via an asset map if the target asset is governed by the National Industrial Security Program Operating Manual (NISPOM) |
CustomerVar95 thru CustomerVar100 |
e.cv95 thru e.cv100 |
%cv95% thru %cv100% |
s_CV95 thru s_CV100 |
string |
String variable reserved for customer use. Stored in database. |
CustomerVar101 thru CustomerVar110 |
e.cv101 thru e.cv110 |
%cv101% thru %cv110% |
s_CV101 thru s_CV110 |
string |
Integer variable reserved for customer use. Stored in database. |
CustomerVar111 thru CustomerVar120 |
e.cv111 thru e.cv120 |
%cv111% thru %cv120% |
s_CV111 thru s_CV120 |
string |
Date variable reserved for customer use. Stored in database. |
CustomerVar121 thru CustomerVar130 |
e.cv121 thru e.cv130 |
%cv121% thru %cv130% |
s_CV121 thru s_CV130 |
string |
UUID variable reserved for customer use. Stored in database. |
CustomerVar131 thru CustomerVar140 |
e.cv131 thru e.cv140 |
%cv131% thru %cv140% |
s_CV131 thru s_CV140 |
string |
IPv4 variable reserved for customer use. Stored in database. |
CustomerVar141 thru CustomerVar150 |
e.cv141 thru e.cv150 |
%cv141% thru %cv150% |
s_CV141 thru s_CV150 |
string |
String variable reserved for customer use. Stored in database. |
CustomerVar151 thru CustomerVar160 |
e.cv151 thru e.cv160 |
%cv151% thru %cv160% |
s_CV151 thru s_CV160 |
string |
Integer variable reserved for customer use. Not stored in database. |
CustomerVar161 thru CustomerVar170 |
e.cv161 thru e.cv170 |
%cv161% thru %cv170% |
s_CV161 thru s_CV170 |
string |
Date variable reserved for customer use. Not stored in database. |
CustomerVar171 thru CustomerVar180 |
e.cv171 thru e.cv180 |
%cv171% thru %cv180% |
s_CV171 thru s_CV180 |
string |
UUID variable reserved for customer use. Not stored in database. |
CustomerVar181 thru CustomerVar190 |
e.cv181 thru e.cv190 |
%cv181% thru %cv190% |
s_CV181 thru s_CV190 |
string |
IPv4 variable reserved for customer use. Not stored in database. |
CustomerVar191 thru CustomerVar200 |
e.cv191 thru e.cv200 |
%cv191% thru %cv200% |
s_CV191 thru s_CV200 |
string |
String variable reserved for customer use. Not stored in database. |