Table sem5.dbo.AGENT_SECURITY_LOG_2
Keeps security events that occur in agents

Generated by
SchemaSpy
Legend:
Primary key columns
Columns with indexes
Implied relationships
Excluded column relationships
< n > number of related tables
 
Column Type Size Nulls Auto Default Children Parents Comments
USN bigint 8 A USN-based serial number; this ID is not unique.
DOMAIN_ID char 32 GUID of the domain to which the log belongs
SITE_ID char 32 GUID of the site to which the log belongs
SERVER_ID char 32 GUID of the server to which the log belongs
GROUP_ID char 32 GUID of the group to which the log belongs
COMPUTER_ID char 32 GUID of the client computer associated with the agent security log
TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
EVENT_ID int 4 Compliance events:
209 = Host Integrity failed (TSLOG_SEC_NO_AV)
210 = Host Integrity passed (TSLOG_SEC_AV)
221 = Host Integrity failed but reported as PASS
237 = Host Integrity custom log entry

Firewall and IPS events:
207 = Active Response
211 = Active Response Disengaged
219 = Active Response Cancelled
205 = Executable file changed
216 = Executable file change detected
217 = Executable file change accepted
218 = Executable file change denied
220 = Application Hijacking
201 = Invalid traffic by rule
202 = Port Scan
203 = Denial of Service
204 = Trojan
206 = Intrusion Prevention System (Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED)
208 = MAC Spoofing
249 = Browser Protection event

Application and Device control:
238 = Device control disabled device
239 = Buffer Overflow Event
240 = Software protection has thrown an exception
EVENT_TIME bigint 8 The event generated time (GMT)
SEVERITY int 4 It is severity defined in Security Rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
AGENT_ID char 32  √  null GUID of the agent
HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
HOST_NAME nvarchar 512  √  null Host Name of client computer
LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)
NETWORK_PROTOCOL tinyint 1  √  null The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
HACK_TYPE int 4  √  null It is reason if event ID is TSLOG_SEC_NO_AV
It is intrusion ID if Event ID is TSLOG_SEC_INTRUSION_DETECTED
It is additional information if event ID is TSLOG_SEC_AV

Reasons:

Process is not running - Bit0 is 1
Signature is out of date - Bit1 is 1
Recovery was attempted - Bit2 is 1
BEGIN_TIME bigint 8  √  null The begin time of security issue
END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. In those cases, the end time is equal to begin time.
REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
APP_NAME nvarchar 512  √  null The full path of application involved. It may be empty if unknown application is involved with that or no application involved. For example, the ping of death DoS attacking does not have AppName because it attacks OS itself.
EVENT_DESC nvarchar 4000  √  null Description of the event. Usually, the first line of the description is treated as the summary.
EVENT_DATA varbinary 3000  √  null Additional data in binary format. This field is optional.
ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)
SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
LOCAL_HOST_MAC varchar 18  √  null The MAC address of local computer
REMOTE_HOST_MAC varchar 18  √  null The MAC address of remote computer
LOCATION_NAME nvarchar 512  √  null The location used when event occurs
USER_NAME nvarchar 512  √  null Login user name
DOMAIN_NAME nvarchar 512  √  null Login domain name
RESERVED_INT1 int 4  √  null
RESERVED_INT2 int 4  √  null
RESERVED_BIGINT1 bigint 8  √  null
RESERVED_BIGINT2 bigint 8  √  null
RESERVED_CHAR1 char 32  √  null
RESERVED_CHAR2 char 32  √  null
RESERVED_VARCHAR1 nvarchar 520  √  null
RESERVED_BINARY varbinary 1900  √  null
AGENT_SECURITY_LOG_IDX char 32  √  null Log index unique ID
LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
LOCAL_PORT int 4 ((0)) Local port
REMOTE_PORT int 4 ((0)) Remote port
CIDS_SIGN_ID bigint 8 ((0)) Signature ID
STR_CIDS_SIGN_ID nvarchar 520 ('') Signature Name
CIDS_SIGN_SUB_ID bigint 8 ((0)) Signature sub ID
INTRUSION_URL nvarchar 4200 ('') URL from detection
INTRUSION_PAYLOAD_URL nvarchar 4200 ('') URL that hosted payload
HI_EXECUTION_ID varchar 50  √  null Execution ID that SNAC agent generates for each HI execution.
AGENT_VERSION nvarchar 128  √  null Agent version number of client
PROFILE_SERIAL_NO varchar 64  √  null Policy serial number

Analyzed at Mon Oct 29 12:07 PDT 2012

Indexes:
Column(s) Type Sort Constraint Name
USN Performance Asc I_AGENT_SECURITY_LOG_2
AGENT_SECURITY_LOG_IDX Performance Asc I_AGENT_SECURITY_LOG_2_AGENT_SECURITY_LOG_IDX
COMPUTER_ID Performance Asc I_AGENT_SECURITY_LOG_2_COMPUTER_ID
HI_EXECUTION_ID Performance Asc I_AGENT_SECURITY_LOG_2_HI_EXECUTION_ID
EVENT_ID Performance Asc I_AGENT_SECURITY_LOG_2_ID
SEVERITY Performance Asc I_AGENT_SECURITY_LOG_2_SEV
EVENT_TIME Performance Asc I_AGENT_SECURITY_LOG_2_TIME
TIME_STAMP Performance Asc I_AGENT_SECURITY_LOG_2_TS