Date | Date and time of the event. |
SheriffSensor (Deputy) | Sensor that processed the event. |
Device IP | IP address of the Sheriff CSM Sensor that processed the event. |
Event Type ID | ID assigned by Sheriff CSM to identify the event type. |
Unique Event ID# | Unique ID number assigned to the event by Sheriff CSM. |
Protocol | Protocol used for the source/destination of the event, for example, TCP IP. |
Category | Event taxonomy for the event, for example, Authentication or Exploit. |
Sub-Category | Subcategory of the event taxonomy type listed under Category. For example, this would be Denial of Service, if the category were Exploit. |
Data Source Name |
Name of the external application or device that produced the event.
|
Data Source ID |
ID associated with the external application or device that produced the event.
|
Product Type |
Product type of the event taxonomy, for example, Operating System or Server.
Note: Events with IP Reputation-related data have product types; OTX pulses do not.
|
Additional Info | If the event were generated by a suspicious URL, for example, this field would state URL. When present, these URLs provide additional background information and references about the components associated with the event. |
Priority | Priority ranking, based on value of the event type. Each event type has a priority value, used in risk calculation. |
Reliability |
Reliability ranking, based on the reliability value of the event type.
Each event type has a reliability value, which is used in risk calculation.
|
Risk |
Risk level of the event: Low = 0, Medium = 1, High > 1
Note: Risk calculation is based on this formula:
Asset Value * Event Reliability * Event Priority / 25 = Risk
If Asset Value = 3, Reliability = 2 and Priority = 2, the risk would be 3 * 2 * 2 / 25 = 0.48 (rounded down to 0)
Therefore, Risk is Low
|
OTX Indicators | Number of indicators associated with an IP Reputation or OTX pulse event. |
Source / Destination |
IP addresses and hostname for the source and destination, respectively, of the event. If the host is an asset, you can right-click it to go to the Asset Details page for information.
Right-clicking the IP address displays a menu from which you can select information about the IP, such as all events originating from that host or all events for which the IP is the destination.
|
|
Hostname
|
Hostname of the event source/destination.
If the source or destination hostname for an event is within your asset inventory, this field contains a value. You can click it to go to the Asset Details page for more information.
|
|
MAC Address
| Media Access Control (MAC) of the host for the event, if known. |
|
Port
| External or internal asset source/destination port for the event. |
|
Latest Update
| The last time Sheriff CSM updated the asset properties. |
|
Username & Domain
| Username and domain associated with the asset that generated the event. |
|
Asset Value
| Asset value of the asset source/destination if within your asset inventory. |
|
Location
| If the host country of origin is known, displays the national flag of the event source or destination. |
|
Context
| If the asset belongs to a user-defined group of entities, Sheriff CSM displays the contexts. |
|
Asset Groups
|
When the host for the event source/destination is an asset belonging to one or more of your asset groups, this field lists the asset group name or names.
You can click the field to go to the Asset Details page for more information.
|
|
Networks
|
When the host for the event source/destination is an asset belonging to one or more of your networks, this field lists the networks.
You can click the field to go to the Network Group Details page for more information.
|
|
Logged Users | A list of any users who have been active on the asset, as detected by the asset scan, for example, with the username and user privilege (such as admin). |
| OTX IP Reputation | (Yes/No) Whether or not IP Reputation identifies the IP address as suspicious. |
| Service | List of services or applications detected on the source/destination port. |
| Port | Port used by the service or application. |
| Protocol | Protocol used by the service or application. |
Raw Log | Raw log details of the event. |