Field |
Attributes |
Purpose |
AgentGUID |
Unique identifier, required |
The reporting CMA agent identifier. Unique among all ePO agents on all ePO servers. |
ReceivedUTC |
Datetime, required, default=GETDATE() |
Date/time the event was stored in the database (stored in UTC datetime format). |
DetectedUTC |
Datetime, required |
The date/time when the analyzer detected this event. Different, and always before the ReceivedUTC (see above). Stored in UTC format. |
Analyzer |
Nvarchar(16), required |
The software or hardware that generates this event. This event is analogous to the ePO traditional SoftwareID or ProductCode. Example: VSE8000 |
AnalyzerName |
Nvarchar(64), required |
The product name as a displayable string. |
AnalyzerVersion |
Nvarchar(20), required |
Version string of the analyzer. |
AnalyzerHostName |
Nvarchar(128), optional |
Network host name of the computer, including domain prefix as needed. |
AnalyzerIPV4 |
Int, optional, default=null |
The 32-bit IPv4 address of the analyzer. |
AnalyzerIPV6 |
Binary(16), optional, default=null |
The 128-bit IPv6 address of the analyzer. |
AnalyzerMAC |
Nvarchar(16),optional, default=null |
The MAC address of the analyzer. |
AnalyzerDATVersion |
Nvarchar(20), optional, default=null |
The details are stored here in the following scenarios:
- The threat was detected with a product that uses DAT technology.
- The event report detects the DAT version.
|
AnalyzerENGVersion |
Nvarchar(20), optional, default=null |
The details are stored here in the following scenarios:
- The threat was detected with a product that uses scanning engine technology.
- The event reports the engine version string.
|
SourceHostName |
Nvarchar(128), optional, default=null |
The threat source host name where applicable, such as IPS events, if detectable. |
SourceIPV4 |
Int, optional, default=null |
The threat source 32-bit IPv4 address. |
SourceIPV6 |
Binary(16),optional, default=null |
The 128-bit IPv6 address. |
SourceMAC |
Nvarchar(16), optional, default=null |
The threat source MAC address, where applicable. |
SourceUserName |
Nvarchar(128), optional, default=null |
The threat source username or email address. |
SourceProcessName |
Nvarchar(128), optional, default=null |
The threat source process name, if detectable. |
SourceURL |
Nvarchar(256), optional, default=null |
The threat source URL, if detectable (for http requests that trigger threat detections). |
TargetHostName |
Nvarchar(128), optional, default=null |
The threat target host name, where applicable (such as IPS events). |
TargetIPV4 |
Int, optional, default=null |
The 32-bit threat target IPv4 address. |
TargetIPV6 |
Binary(16), optional, default=null |
The 128-bit IPv6 address. |
TargetMAC |
Nvarchar(16),optional, default=null |
The threat target MAC address, where applicable. |
TargetUserName |
Nvarchar(128),optional, default=null |
The threat target username or email address. |
TargetPort |
Smallint,optional, default=null |
The threat target port for network-homed threat classes. |
TargetProtocol |
Nvarchar(16),optional, default=null |
The threat target protocol for network-homed threat classes (http, ftp, Netbios, SMTP, SNMP, pick your favorite protocol from your Linux /etc/services file). |
TargetProcessName |
Nvarchar(128),optional, default=null |
The threat target process name, where applicable. |
TargetFileName |
Nvarchar(256),optional, default=null |
The threat target file name, where applicable. |
ThreatCategory |
Nvarchar(128), required |
Hierarchical category string describing the threat. |
ThreatEventID |
uint32, uint32 |
Event ID (currently the TVD event identifier). Managed products get the Event IDs ranges from us. |
ThreatSeverity |
uint32, required, default=1 |
Severity of the event instance. Summarily, this value is a number ranging from one (1) through seven (7) with (1) being highest severity, and (7) being the lowest/informational. |
ThreatName |
uint32, required |
Name of this threat, such as a virus, a firewall rule name. |
ThreatType |
Nvarchar(32), required |
Analyzer-dependent classification of the event type. For example, VSE uses as 'virus', 'trojan', 'pup'. Where ePO gives advice for managed products to prefix the value with the product code and to provide friendly translations. |
ThreatActionTaken |
Nvarchar(32), required, default=none |
Action taken against the threat, if any. For example, 'cleaned', 'deleted', 'blocked'. ePO gives advice for managed product to prefix the value with the product code and to provide friendly translations. |
ThreatHandled |
bit, optional, default=null |
Indicates whether the threat was handled or not. Currently zero or one is supported, indicating not-handled, and handled states. If the event is not threat-oriented, set to null. |