Sentinel Meta-tags

Meta-tags store meta-data. Meta-data is information about data and pre-defined variable names. For Example, the Source IP of an attack is mapped to SIP meta-tag and Product names are mapped to PN meta-tag. Data into meta-tags can be populated either from device log data or is set as part of the Collector processing.

For information on the Event Configuration and mapping feature in the Sentinel Control Center, see Admin tab documentation.

The value in the Collector Variable column is the name of the Collector variable to set in order to populate the corresponding Meta-tag. For more information about parsing commands, see Collector Parsing Commands and the documentation for specific Collectors.

The types specified in the Type column have the following properties:

NOTE: In the table below, Labels and Meta-tags are used in the Sentinel Control Center. Collector Variables are used in the Collector parsing language. Not all meta-tags have a corresponding Collector Variable.

Label

Meta-tag

Type

Description

Collector Variable

Severity

sev

integer

The normalized severity of the event (0-5).

i_Severity

Vulnerability

vul

integer

The vulnerability of the asset identified in this event.

s_VULN

Criticality

crt

integer

The criticality of the asset identified in this event.

s_CRIT

EventTime

dt

date

The normalized date and time of the event, as given by the collector.

 

SourceIP

sip

IPv4

The source IP address from which the event originated.

s_SIP

DestinationIP

dip

IPv4

The destination IP address to which the event was targeted.

s_DIP

EventID

id

UUID

Unique identifier for this event.

 

SourceID

src

UUID

Unique identifier for the Sentinel service which generated this event.

 

Collector

port

string

Name of the Collector that generated this event.

Not Applicable

CollectorScript

agent

string

The name of the Collector Script used by the Collector to generate this event.

Not Applicable

Resource

res

string

Compliance monitoring hierarchy level 1

s_RES

SubResource

sres

string

Compliance monitoring hierarchy level 2

s_SubRes

EventName

evt

string

The descriptive name of the event as reported (or given) by the sensor. Example Port Scan.

s_EVT

SensorName

sn

string

The name of the ultimate detector of the event when received in raw data. Example FW1 for a firewall.

s_SN

SensorType

st

string

The single character designator for the sensor type (N, H, O, V, C, A, I).

s_ST

DeviceEventTime

det

date

The normalized date and time of the event, as reported by the sensor.

 

Protocol

prot

string

The network protocol of the event.

s_P

SourceHostName

shn

string

The source host name from which the event originated.

s_SHN

SourcePort

spint

integer

The source port from which the event originated.

s_SPINT

DestinationHostName

dhn

string

The destination host name to which the event was targeted.

s_DHN

DestinationPort

dpint

integer

The destination port to which the event was targeted.

s_DPINT

SourceUserName

sun

string

The source user name used to initiate an event. Example jdoe during an attempt to su.

s_SUN

DestinationUserName

dun

string

The destination user name on which an action was attempted. Example root during a password reset.

s_DUN

FileName

fn

string

The name of the program executed or the file accessed, modified or affected.

s_FN

ExtendedInformation

ei

string

Stores additional collector processed information. Values within this variable are separated by semi-colons ().

s_EI

ReporterName

rn

string

The host name or IP address of the device to which an event was logged or from which notification of the event is sent.

s_RN

ProductName

pn

string

Indicates the type, vendor and product code name of the sensor from which the event was generated.

s_PN

Message

msg

string

Free-form message text for the event.

s_BM

DeviceAttackName

rt1

string

Device specific attack name that matches attack name known by Advisor. (String)

s_RT1

Rt2

rt2

string

Reserved by Novell for expansion. (String)

s_RT2

Ct1 thru Ct2

ct1 thru ct2

string

Reserved for use by customers for customer-specific data. (String)

s_CT1

and

s_CT2

Rt3

rt3

integer

Reserved by Novell for expansion. (Number)

 

Ct3

ct3

integer

Reserved for use by customers for customer-specific data. (Number)

s_CT3

CorrelatedEventUuids

ceu

string

List of event UUIDs associated with this correlated event. Only relevant for correlated events.

s_RT3

CustomerHierarchyId

rv1

integer

Customer Hierarchy Id

s_RV1

ReservedVar2 thru

ReservedVar10

rv2 thru

rv10

integer

Reserved by Novell for expansion. (Number)

s_RV2

thru

s_RV10

ReservedVar11 thru

ReservedVar20

rv11 thru

rv20

date

Reserved by Novell for expansion. (Date)

s_RV11

thru

s_RV20

CollectorManagerId

rv21

UUID

Unique identifier for the Collector Manager which generated this event.

s_RV21

CollectorId

rv22

UUID

Unique identifier for the Collector which generated this event.

s_RV22

ConnectorId

rv23

UUID

Unique identifier for the Connector which generated this event.

s_RV23

EventSourceId

rv24

UUID

Unique identifier for the Event Source which generated this event.

s_RV24

RawDataRecordId

rv25

UUID

Unique identifier for the Raw Data Record associated with this event.

s_RV25

ControlPack

rv26

string

Not currently in use

s_RV26

ControlMonitor

rv27

string

Not currently in use

s_RV27

 

ReservedVar28

rv28

string

Reserved by Novell for expansion. (String)

s_RV28

 

SourceIPCountry

rv29

string

Country of source IP address.

s_RV29

AttackId

rv30

string

Normalized Attack Id. This is taken from Advisor data. (String)

s_RV30

 

DeviceName

rv31

string

The name of the device generating the event. If this device is supported by Advisor, the name should match the name known by Advisor. (String)

s_RV31

 

DeviceCategory

rv32

string

Device category (FW, IDS, AV, OS, DB).

s_RV32

 

EventContext

rv33

string

Event context (threat level).

s_RV33

 

SourceThreatLevel

rv34

string

Source threat level.

s_RV34

 

SourceUserContext

rv35

string

Source user context.

s_RV35

 

DataContext

rv36

string

Data context.

s_RV36

 

SourceFunction

rv37

string

Source function.

s_RV37

 

SourceOperationalContext

rv38

string

Source operational context.

s_RV38

 

MSSPCustomerName

rv39

string

MSSP customer name.

s_RV39

VendorEventCode

rv40

string

Event code reported by device vendor. (String)

s_RV40

 

DestinationDomain

rv41

string

Destination Domain. (String)

s_RV41

SourceDomain

rv42

string

Source Domain. (String)

s_RV42

ReservedVar43

rv43

string

Reserved by Novell for expansion. (String)

s_RV43

DestinationThreatLevel

rv44

string

Destination threat level.

s_RV44

 

DestinationUserContext

rv45

string

Destination user context.

s_RV45

 

VirusStatus

rv46

string

Virus status.

s_RV46

 

DestinationFunction

rv47

string

Destination function.

s_RV47

 

DestinationOperationalContext

rv48

string

Destination operational context.

s_RV48

 

CustomerHierarchyLevel1

rv49

string

Customer Hierarchy Level 1 (used by MSSPs)

s_RV49

 

eSecTaxonomyLevel1

rv50

string

Sentinel event code categorization - level 1.

s_RV50

 

eSecTaxonomyLevel2

rv51

string

Sentinel event code categorization - level 2.

s_RV51

 

eSecTaxonomyLevel3

rv52

string

Sentinel event code categorization - level 3.

s_RV52

 

eSecTaxonomyLevel4

rv53

string

Sentinel event code categorization - level 4.

s_RV53

 

CustomerHierarchyLevel2

rv54

string

Customer Hierarchy Level 2 (used by MSSPs)

s_RV54

 

CustomerHierarchyLevel3

rv55

string

Customer Hierarchy Level 3 (used by MSSPs)

s_RV55

SourceAssetName

rv56

string

Source Asset Name. Part of source host asset data. (String)

s_RV56

 

SourceMacAddress

rv57

string

Source Mac Address. Part of source host asset data. (String)

s_RV57

 

SourceNetworkIdentity

rv58

string

Source Network Identity. Part of source host asset data. (String)

s_RV58

 

SourceAssetCategory

rv59

string

Source Asset Category. Part of source host asset data. (String)

s_RV59

 

SourceEnvironmentIdentity

rv60

string

Source Environment Identity. Part of source host asset data. (String)

s_RV60

 

SourceAssetValue

rv61

string

Source Asset Value. Part of source host asset data. (String)

s_RV61

 

SourceCriticality

rv62

string

Source Criticality. Part of source host asset data. (String)

s_RV62

 

SourceSensitivity

rv63

string

Source Sensitivity. Part of source host asset data. (String)

s_RV63

 

SourceBuilding

rv64

string

Source Building. Part of source host asset data. (String)

s_RV64

 

SourceRoom

rv65

string

Source Room. Part of source host asset data. (String)

s_RV65

 

SourceRackNumber

rv66

string

Source Rack Number. Part of source host asset data. (String)

s_RV66

 

SourceCity

rv67

string

Source City. Part of source host asset data. (String)

s_RV67

 

SourceState

rv68

string

Source State. Part of source host asset data. (String)

s_RV68

 

SourceCountry

rv69

string

Source Country. Part of source host asset data. (String)

s_RV69

 

SourceZipCode

rv70

string

Source Zip Code. Part of source host asset data. (String)

s_RV70

SourceAssetOwner

rv71

string

Source Asset Owner. Part of source host asset data. (String)

s_RV71

 

SourceAssetMaintainer

rv72

string

Source Asset Maintainer. Part of source host asset data. (String)

s_RV72

 

SourceBusinessUnit

rv73

string

Source Business Unit. Part of source host asset data. (String)

s_RV73

 

SourceLineOfBusiness

rv74

string

Source Line Of Business. Part of source host asset data. (String)

s_RV74

 

SourceDivision

rv75

string

Source Division. Part of source host asset data. (String)

s_RV75

 

SourceDepartment

rv76

string

Source Department. Part of source host asset data. (String)

s_RV76

 

SourceAssetId

rv77

string

Source Asset Id. Part of source host asset data. (String)

s_RV77

 

DestinationAssetName

rv78

string

Destination Asset Name. Part of destination host asset data. (String)

s_RV78

 

DestinationMacAddress

rv79

string

Destination Mac Address. Part of destination host asset data. (String)

s_RV79

 

DestinationNetworkIdentity

rv80

string

Destination Network Identity. Part of destination host asset data. (String)

s_RV80

 

DestinationAssetCategory

rv81

string

Destination Asset Category. Part of destination host asset data. (String)

s_RV81

 

DestinationEnvironmentIdentity

rv82

string

Destination Environment Identity. Part of destination host asset data. (String)

s_RV82

 

DestinationAssetValue

rv83

string

Destination Asset Value. Part of destination host asset data. (String)

s_RV83

 

DestinationCriticality

rv84

string

Destination Criticality. Part of destination host asset data. (String)

s_RV84

 

DestinationSensitivity

rv85

string

Destination Sensitivity. Part of destination host asset data. (String)

s_RV85

DestinationBuilding

rv86

string

Destination Building. Part of destination host asset data. (String)

s_RV86

 

DestinationRoom

rv87

string

Destination Room. Part of destination host asset data. (String)

s_RV87

 

DestinationRackNumber

rv88

string

Destination Rack Number. Part of destination host asset data. (String)

s_RV88

 

DestinationCity

rv89

string

Destination City. Part of destination host asset data. (String)

s_RV89

 

DestinationState

rv90

string

Destination State. Part of destination host asset data. (String)

s_RV90

 

DestinationCountry

rv91

string

Destination Country. Part of destination host asset data. (String)

s_RV91

 

DestinationZipCode

rv92

string

Destination Zip Code. Part of destination host asset data. (String)

s_RV92

 

DestinationAssetOwner

rv93

string

Destination Asset Owner. Part of destination host asset data. (String)

s_RV93

 

DestinationAssetMaintainer

rv94

string

Destination Asset Maintainer. Part of destination host asset data. (String)

s_RV94

 

DestinationBusinessUnit

rv95

string

Destination Business Unit. Part of destination host asset data. (String)

s_RV95

 

DestinationLineOfBusiness

rv96

string

Destination Line Of Business. Part of destination host asset data. (String)

s_RV96

 

DestinationDivision

rv97

string

Destination Division. Part of destination host asset data. (String)

s_RV97

 

DestinationDepartment

rv98

string

Destination Department. Part of destination host asset data. (String)

s_RV98

 

DestinationAssetId

rv99

string

Destination Asset Id. Part of destination host asset data. (String)

s_RV99

 

CustomerHierarchyLevel4

rv100

string

Customer Hierarchy Level 4 (used by MSSPs)

s_RV100

CustomerVar1

thru

CustomerVar10

cv1 thru cv10

integer

Reserved for use by customers for customer-specific data. (Number)

s_CV1

thru

s_CV10

CustomerVar11 thru

CustomerVar20

cv11 thru

cv20

date

Reserved for use by customers for customer-specific data. (Date)

s_CV11

thru

s_CV20

CustomerVar21 thru

CustomerVar29

cv21 thru

cv29

string

Reserved for use by customers for customer-specific data. (String)

s_CV21

thru

s_CV29

CustomerVar30 thru

CustomerVar34

cv30 thru

cv34

string

Reserved for use by customers for customer-specific data. (String)

s_CV30

thru

s_CV34

CustomerVar35 thru

CustomerVar89

cv35 thru

cv89

string

Reserved for use by customers for customer-specific data. (String)

s_CV35

thru

s_CV89

SARBOX

cv90

string

Set to 1 if the asset is governed by Sarbanes-Oxley through an asset map. (String)

s_CV90

HIPAA

cv91

string

Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation through an asset map. (String)

s_CV91

GLBA

cv92

string

Set to 1 if the asset is governed by the Gramm-Leach Bliley Act regulation through an asset map. (String)

s_CV92

FISMA

cv93

string

Set to 1 if the asset is governed by the Federal Information Security Management Act (FISMA) regulation through an asset map. (String)

s_CV93

NISPOM

cv94

string

Set to 1 if the asset is governed by National Industrial Security Program Operating Manual (NISPOM) regulation through an asset map. (String)

s_CV94

SIPCountry

cv95

string

Source Country based on Source Ip. (String)

s_CV95

DIPCountry

cv96

string

Destination Country based on Destination Ip. (String)

s_CV96

CustomerVar97 thru

CustomerVar100

cv97 thru cv100

string

Reserved for use by customers for customer-specific data. (String)

s_CV97

thru

s_CV100

DeviceEventTimeString

et

string

The normalized date and time of the event, as reported by the sensor.

s_ET

SentinelProcessTime

spt

date

The date and time Sentinel received the event.

Not Applicable

BeginTime

bgnt

date

The date and time the event started occurring.

s_BGNT

EndTime

endt

date

The date and time the event stopped occurring.

s_ENDT

RepeatCount

rc

integer

The number of times the same event occurred if multiple occurrences were consolidated.

s_RC

SourcePortName

sp

string

The source port from which the event originated.

s_SP

DestinationPortName

dp

string

The destination port to which the event was targeted.

s_DP