Persistent Fields
The following keys can be expected within each message.
Field |
Value Type |
Description |
Event Date |
DateTime |
Event date (UTC) |
Server Date |
DateTime |
DateTime of server event forwarding processing (UTC) |
RefType |
String |
Event reference Id |
Agent Desc |
String |
The last known relaying agent (for example, Application Bus 3.0) |
Agent ID |
String |
The source or originating agent |
Agent Ver |
String |
The version of the agent |
Source Host |
String |
The machine name of the agent (or IP address if the machine name is not available) |
Source IP |
String |
The IP address of the agent |
OS |
String |
The operating system of the agent |
Category |
String |
Event Category. This can be any number of verbs (T49152, U11234, Group, Audits, etc.) |
Event Name |
String |
The name of the event |
Event Desc |
String |
Additional descriptive details for the event. This varies in level of detail based on the event source, etc. |
Event Severity |
Integer |
In general, severity ranges from 0-10, where Information = 0, low = 3, medium = 6, and high = 9 |
Event Subject |
String |
Subject Identity at the root of the event. This can be a scanned asset (for example, IP or Hostname), an action (for example, Application launch) |
Event Type |
Integer |
[Reserved for future use] |
User |
String |
The computer / machine user associated with the event |
Workgroup ID |
String |
The workgroup ID (for example,BeyondTrust Workgroup) |
Workgroup Desc |
String |
The workgroup name (for example, BeyondTrust) |
Workgroup Location |
String |
The workgroup location (for example, Default Location) |