E.0 Event Fields

Each event has its own fields. Based on the type of event, some fields in an event might not be populated. The values for these event fields can be viewed by using a search or running a report. Each field has a short name that is used in advanced searches. The values for most of these fields are visible in the detailed event view; other values are visible in the basic event view.

NOTE:The taxonomy values that you can search for the TaxonomyLevel* and XDAS* fields are documented at the Sentinel Taxonomy Web page.

Some fields are tokenized. Tokenizing also makes it possible to search for an individual word in the field without a wildcard. The fields are tokenized based on spaces and other special characters. For these fields, articles such as “a” or “the” is removed from the search index.

Tokenized fields are marked in the following table and these fields are not case-sensitive while performing a search.

NOTE:In addition to the below mentioned tokenized field, if you do a search without specifying a field name (full text search), that search will be performed tokenized (not case-sensitive).

Table E-1 Event Fields

Field

Short Name

Description

Tokenized

Visible in Basic View

Visible in Detailed View

Collector

port

Name of the Collector that generated this event.

 

CollectorId

rv22

Unique identifier for the Collector which generated this event.

 

CollectorManagerId

rv21

Unique identifier for the Collector Manager which generated this event.

 

CollectorScript

agent

The name of the Collector Script used by the Collector to generate this event.

Y

Y

ConnectorId

rv23

Unique identifier for the Connector which generated this event.

 

ControlMonitor

rv27

Control categorization - level 2

Y

ControlPack

rv26

Control categorization - level 1

Y

CorrelatedEventUuids

ceu

List of event UUIDs associated with this correlated event. Only relevant for correlated events.

 

 

 

Criticality

crt

The criticality of the asset identified in this event.

 

 

 

Ct1

ct1

Reserved for use by customers for customer-specific data. (String)

 

 

 

Ct2

ct2

Reserved for use by customers for customer-specific data. (String)

 

 

 

Ct3

ct3

Reserved for use by customers for customer-specific data. (Number)

 

 

 

CustomerHierarchyId

rv1

Customer Hierarchy Id

 

 

 

CustomerHierarchyLevel1

rv49

Customer Hierarchy Level 1

Y

 

 

CustomerHierarchyLevel2

rv54

Customer Hierarchy Level 2

 

 

 

CustomerHierarchyLevel3

rv55

Customer Hierarchy Level 3

 

 

 

CustomerHierarchyLevel4

rv100

Customer Hierarchy Level 4

 

 

 

CustomerVar1-CustomerVar10

cv1-10

Reserved for use by customers for customer-specific data. (Number)

Y

 

Y

CustomerVar100

cv100

Reserved for use by customers for customer-specific data. (String)

 

 

 

CustomerVar101-CustomerVar130

cv101-130

Reserved for use by customers for customer-specific data. (Integer; Stored in DB)

 

 

 

CustomerVar11-CustomerVar20

cv11-20

Reserved for use by customers for customer-specific data. (Date)

Y

CustomerVar131-140

cv131-140

Reserved for use by customers for customer-specific data. (IPv4; Stored in DB)

Y

CustomerVar141-150

cv141-150

Reserved for use by customers for customer-specific data. (String; Stored in DB)

Y

CustomerVar151-160

cv151-160

Reserved for use by customers for customer-specific data. (Integer; Not stored in DB)

Y

CustomerVar161-170

cv161-170

Reserved for use by customers for customer-specific data. (Date; Not stored in DB)

Y

CustomerVar171-180

cv171-180

Reserved for use by customers for customer-specific data. (UUID; Not stored in DB)

Y

CustomerVar181-190

cv181-190

Reserved for use by customers for customer-specific data. (IPv4; Not stored in DB)

Y

CustomerVar191-200

cv191-200

Reserved for use by customers for customer-specific data. (String; Not stored in DB)

Y

CustomerVar21-99

cv21-99

Reserved for use by customers for customer-specific data. (String)

Y

DataCotext

rv36

Container for the FileName data object (for example, a directory for a file or a database instance for a database table)

Y

Y

DataTagId

rv3

An Id for user-defined event tagging.

 

DataValue43

rv43

Data Value. (String)

Y

DeviceCategory

rv32

Device category (FW, IDS, AV, OS, DB).

 

DeviceName

rv31

The name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. (String)

Y

Y

EffectiveUserDomain

eudom

The domain (namespace) in which the effective user account exists.

 

 

Y

EffectiveUserID

euid

Numerical ID of the user that the InitUser is impersonating (root using su, for example), based on the raw data reported by the device.

 

 

Y

EffectiveUserName

euname

The name of the account that is effectively being used.

 

Y

EventContext

rv33

Event context (threat level).

Y

EventGroupID

evtgrpid

A source-specific identifier to group multiple related events together.

 

Y

EventMetric

rv2

An event-dependent numeric value.

 

Y

EventMetricClass

rv28

The class of the event-dependent numeric value.

 

EventName

evt

The descriptive name of the event as reported (or given) by the sensor. Example Port Scan.

Y

Y

Y

EventSourceId

rv24

Unique identifier for the Event Source which generated this event.

 

Y

ExtendedInformation

ei

Stores additional Collector processed information. Values within this variable are separated by semi-colons ().

Y

Y

FISMA

cv93

Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation via an asset map. (String)

 

GLBA

cv92

Set to 1 if the asset is governed by the Gramm-Leach Bliley Act regulation via an asset map. (String)

 

HIPAA

cv91

Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation via an asset map. (String)

 

InitFunction

rv37

Initiator function.

Y

InitHostDomain

rv42

The domain portion of the initiating system's fully-qualified hostname.

 

Y

Y

InitHostName

shn

The unqualified host name of the initiating system.

 

Y

Y

InitIP

sip

The IPv4 address of the initiating system.

 

 

Y

InitIPCountry

rv29

The country where the IPv4 address of the initiating system is located.

Y

InitOperationalContext

rv38

Initiator operational context.

Y

InitServiceComp

isvcc

The subcomponent of the initiating service that caused this event.

Y

InitServiceName

sp

The name of the initiating service that caused this event.

 

 

Y

InitServicePort

spint

The port used by the service/application that initiated the connection.

 

 

Y

InitThreatLevel

rv34

Initiator threat level.

 

InitUserDepartment

iudep

The department of the identity associated with the initiating account.

Y

InitUserDomain

rv35

The domain (namespace) in which the initiating account exists.

 

Y

InitUserFullName

iufname

The full name of the identity associated with the initiating account.

Y

Y

Y

InitUserID

iuid

The initiating account's source-specific identifier as determined by the Collector based on raw device data.

 

 

Y

InitUserIdentity

iuident

The internal UUID of the identity associated with the initiating account.

 

 

 

InitUserName

sun

The initiating user's account name (SourceUsername).

 

Y

Y

Message

msg

Free-form message text for the event.

Y

Y

MSSPCustomerName

rv39

Name of the MSSP customer.

NISPOM

cv94

Set to 1 if the asset is governed by National Industrial Security Program Operating Manual (NISPOM) regulation via an asset map. (String)

 

ObserverChannel

rv150

The channel on which the observer delivered the event, for multi-channel protocols. An example would be the syslog facility. (String; Stored in DB)

 

Y

ObserverHostDomain

obsdom

The domain portion of the observer's (sensor) fully qualified hostname.

 

 

Y

ObserverHostName

sn

The unqualified hostname of the observer of the event (SensorName).

 

 

Y

ObserverIP

obsip

The IP address of the observer (sensor) that detected the event.

 

 

Y

ProductName

pn

Indicates the type, vendor and product code name of the sensor from which the event was generated.

Y

Y

Y

Protocol

prot

The protocol used between the initiating and target services.

 

Y

RepeatCount

rc

The number of times the same event occurred if multiple occurrences were consolidated.

 

Y

ReporterHostDomain

repdom

The domain portion of the reporter's fully qualified hostname.

 

 

Y

ReporterHostName

rn

The unqualified hostname of the reporter of the event (ReporterName).

Y

ReporterIP

repip

The IP address of the reporter, i.e. the system that delivered the event to this server.

 

 

Y

Resource

res

The resource name.

 

RetentionPolicyConflict

rv101

Set to 1 (true) if more than one retention policy matched this event but only one was chosen. (Integer; Stored in DB)

Y

SARBOX

cv90

Set to 1 if the asset is governed by Sarbanes-Oxley via an asset map. (String)

 

SensorType

st

The single character designator for the sensor type (N, H, O, V, C, W, A, I).

 

 

 

SentinelServiceID

src

Unique identifier for the Sentinel service which generated this event.

 

Severity

sev

The normalized severity of the event (0-5).

 

Y

Y

SubResource

sres

The sub-resource name.

Y

Tags

rv145

A comma separated list of tags (such as PCI) applied to the event.

Y

Y

TargetDataName

fn

The name of the data object (file, database table, directory object, etc) that was affected by this event.

 

Y

TargetFunction

rv47

Target function.

Y

TargetHostDomain

rv41

The domain portion of the target system's fully-qualified hostname.

 

Y

Y

TargetHostName

dhn

The unqualified hostname of the target system.

 

Y

Y

TargetIP

dip

The IPv4 address of the target system.

 

 

Y

TargetIPCountry

rv30

The country where the IPv4 address of the target system is located.

Y

TargetOperationalContext

rv48

Target operational context.

Y

TargetServiceComp

tsvcc

The subcomponent of the target service affected by this event.

Y

TargetServiceName

dp

The name of the target service affected by this event.

 

 

Y

TargetServicePort

dpint

The network port accessed on the target.

 

 

Y

TargetThreatLevel

rv44

Target threat level.

 

TargetTrustDomain

ttd

The domain (namespace) within which the target trust exists.

 

 

TargetTrustID

ttid

The source-specific identifier of the trust (group, role, profile, etc) affected.

 

 

TargetTrustName

ttn

The name of the trust (group, role, profile, etc) affected.

 

 

TargetUserDepartment

tudep

The department of the identity associated with the target account.

Y

TargetUserDomain

rv45

The domain (namespace) in which the target account exists.

 

Y

TargetUserFullName

tufname

The full name of the identity associated with the target account.

Y

TargetUserID

tuid

The target account's source-specific identifier as determined by the Collector based on raw device data.

 

 

Y

TargetUserIdentity

tuident

The internal UUID of the identity associated with the target account.

 

TargetUserName

dun

The target user's account name (DestinationUsername).

 

Y

Y

TaxonomyLevel1

rv50

Event code categorization - level 1. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

Y

Y

Y

TaxonomyLevel2

rv51

Event code categorization - level 2. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

Y

Y

Y

TaxonomyLevel3

rv52

Event code categorization - level 3. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

Y

Y

Y

TaxonomyLevel4

rv53

Event code categorization - level 4. Displayed under the event name in the format:

TaxonomyLevel1>> TaxonomyLevel2>> TaxonomyLevel3>> TaxonomyLevel4

Y

Y

Y

VendorEventCode

rv40

Event code reported by device vendor. (String)

 

VirusStatus

rv46

Virus status.

 

Vulnerability

vul

The vulnerability of the asset identified in this event.

 

XDASClass

xdasclass

The XDAS Event Class ID; refer to XDAS specification.

 

XDASDetail

xdasdetail

The XDAS outcome detail; refer to XDAS specification.

 

XDASIdentifier

xdasid

The XDAS Event Identifier; refer to XDAS specification.

 

XDASOutcome

xdasoutcome

The XDAS major outcome; success, failure, or denial.

 

XDASOutcomeName

xdasoutcomename

Human-readable XDAS outcome.

Y

Y

XDASProvider

xdasprov

The XDAS Provider ID; refer to XDAS specification.

 

XDASRegistry

xdasreg

The XDAS Registry ID; refer to XDAS specification.

 

XDASTaxonomyName

xdastaxname

Human-readable XDAS event taxonomy string.

Y

Y