Table sem5.dbo.AGENT_BEHAVIOR_LOG_2
Keeps client activities that occur in agents. The LOG_IDX field serves as the table's unique identifier, but it is not formally classified as the table's primary key. This field has an index on it, but it is not the primary key index. This table has no primary key.

Generated by
SchemaSpy
Legend:
Primary key columns
Columns with indexes
Implied relationships
Excluded column relationships
< n > number of related tables
 
Column Type Size Nulls Auto Default Children Parents Comments
USN bigint 8 A USN-based serial number; this ID is not unique.
DOMAIN_ID char 32 GUID of the domain to which the log belongs
SITE_ID char 32 GUID of the site to which the log belongs
SERVER_ID char 32 GUID of the server to which the log belongs
GROUP_ID char 32 GUID of the group to which the log belongs
COMPUTER_ID char 32 GUID of the client computer associated with the agent log
TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
EVENT_ID int 4 An event ID from send agent:
501 = Application Control Driver
502 = Application Control Rules
999 = Tamper Protection
EVENT_TIME bigint 8 The event generated time (GMT)
SEVERITY int 4 The seriousness of the event
0 is most serious
AGENT_ID char 32  √  null GUID of the agent
HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
HOST_NAME nvarchar 512  √  null Host Name of client computer
ACTION int 4  √  null What we did:
0 = allow
1 = block
2 = ask
3 = continue
4 = terminate
TEST_MODE int 4  √  null Was this rule run in test mode?
0 = No, Else = Yes
DESCRIPTION nvarchar 512  √  null What behavior was blocked
VAPI_NAME nvarchar 512  √  null What API was blocked
ENCODED_API_NAME nvarchar 512  √  null
BEGIN_TIME bigint 8  √  null The begin time of security issue
END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. in those cases, the end time is equal to begin time.
RULE_ID char 32  √  null The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has finial decision on PacketProc (pass/block/drop).
RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
CALLER_PROCESS_ID bigint 8  √  null ID of the Process that triggers the logging
CALLER_PROCESS_NAME nvarchar 512  √  null The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says"don't log application name in raw traffic log".
CALLER_RETURN_ADDRESS bigint 8  √  null Return address of the caller. This field allows our software to detect the calling module that makes the API call.
CALLER_RETURN_MODULE_NAME nvarchar 512  √  null Module name of caller. See CallerReturnAddress for more information.
PARAMETER nvarchar 512  √  null Parameters that were used in the API call. Each parameter was converted to STRING format and separated by one space character. Double quotation characters within the string are escape by a \ char.
ALERT int 4  √  null Indicates whether this event will be counted during alert notification processing at the server. It is true if the event is logged by Tamper Protection. It is false otherwise. (True =1, False = 0)
SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true.
USER_NAME nvarchar 512  √  null Login user name
DOMAIN_NAME nvarchar 512  √  null Login (Windows) domain name
RESERVED_INT1 int 4  √  null
RESERVED_INT2 int 4  √  null
RESERVED_BIGINT1 bigint 8  √  null
RESERVED_BIGINT2 bigint 8  √  null
RESERVED_CHAR1 char 32  √  null
RESERVED_CHAR2 char 32  √  null
RESERVED_VARCHAR1 nvarchar 520  √  null
RESERVED_BINARY varbinary 2000  √  null
REPETITION int 4 ((1)) Event repetition due to aggregation (damper)
LOG_IDX char 32  √  null Log index unique ID
IP_ADDR bigint 8  √  null IP Address of the machine associated with the application control violation
FILE_SIZE bigint 8  √  null Size of the file associated with the application control violation in MB
ACTION_TYPE smallint 2  √  null Violation type that triggered the SymProtect event.
Valid values are 0 to 58 inclusive.
PARAM_DEVICE_ID varchar 256  √  null GUID of an external device (floppy disk, dvd, USB device, etc.)

Analyzed at Mon Oct 29 12:07 PDT 2012

Indexes:
Column(s) Type Sort Constraint Name
USN Performance Asc I_AGENT_BEHAVIOR_LOG_2
COMPUTER_ID + GROUP_ID + ALERT + USN + EVENT_ID Performance Asc/Asc/Asc/Asc/Asc I_AGENT_BEHAVIOR_LOG_2_COMPUTER_ID_PLUS
EVENT_ID Performance Asc I_AGENT_BEHAVIOR_LOG_2_ID
LOG_IDX Performance Asc I_AGENT_BEHAVIOR_LOG_2_LOG_IDX
EVENT_TIME Performance Asc I_AGENT_BEHAVIOR_LOG_2_TIME
TIME_STAMP Performance Asc I_AGENT_BEHAVIOR_LOG_2_TS