Table of Contents
Advertisement
Sentinel 6.1 Rapid Deployment
1
Event Fields
Every Sentinel event or correlated event has certain fields that are automatically populated (such as
Event Time and Event UUID) and other fields that may or may not be populated, depending on the
type of event, the collector parsing, and the mapping service configuration. This event data is visible
in Active Views, historical queries, and reports. They are stored in the database and can be accessed
via the report views. They can also be used in actions available through the right-click event menu,
correlation actions, and iTRAC workflow actions.
Section 1.1, "Event Field Labels and Tags," on page 11
Section 1.2, "List of Fields and Representations," on page 15
1.1 Event Field Labels and Tags
Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible
throughout the Sentinel Control Center interface, for example:
Column headers for Active Views, historical event queries, and the Active Browser
Correlation wizard drop-down menus
Active View configuration drop-down menus
Each field has a default label, but that label is user-configurable using the Event Configuration
option on the Admin tab. For more information, see "Admin" section in
Deployment User
Guide.
user who initiated the event, but this can be changed by the administrator. When a user changes the
default label, the changes are reflected in most areas of the interface, including any correlation rules,
filters, and right-click menu options.
WARNING: Changing the default label for variables other than Customer Variables may cause
confusion when working with Novell Technical Services or other parties who are familiar with the
default names. In addition, JavaScript Collectors built by Novell refer to the default labels described
in this chapter and are not automatically updated to refer to new labels.
Each field also has a short tag name that is always used for internal references to the field and is not
user-configurable. This short tag name may not correspond exactly to the default label; Sentinel
labels have changed over the years, but the underlying short tags remain the same for backward
compatibility. (For example, InitUserName is the default label for the account name of the user who
initiated the event. The default label was previously SourceUserName, and the underlying short tag
is "sun".)
NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all
filters, actions, and correlation rule definitions are defined using the short tags, even though the label
may be visible in the interface, there is no change in functionality due to the label renaming.
is the default label to represent the account name of the
InitUserName
Sentinel 6.1 Rapid
Sentinel 6.1 Rapid Deployment Event Fields
1
11
Advertisement
Table of Contents
