Sentinel event properties
Last updated May 27th, 2026
Primary Information (Common Fields)
DeviceImei1
IMEI1 of the device
DeviceImei2
IMEI2 of the device
DeviceModel
Model number of the device
DeviceSerialNumber
Serial number of the device
DeviceWifimac
Hardware Wi-fi MAC address of the device
EventId
ID associated with the event on the device
EventTime
Timestamp when the event was generated on the device
MitreTtp
Technique ID from the MITRE ATT&CK framework for the event
Name
Name of the event
PrimaryImei
Primary IMEI of the device
Profile
Profile indicates whether the events contain additional metadata to provide context and is based on the device profiles.
If the value is ‘Public’, events consist of all the contextual information or metadata, which are not sensitive in nature. These events can be from Fully Managed (DO), Work (WPC-W) or Personal Profile (WPC-P) on Corporate-owned Personally-enabled (COPE) devices.
For a few events, the value is ‘Private’ which indicates the events may not contain any contextual information or metadata. Such events are typically from Personal Profile (WPC-P) on COPE devices.
Severity
Severity of the event.
High severity events are typically indicators of attack (IOA) or compromise (IOC) that could be a potentially malicious threat resulting in significant damage.
High and Medium severity events are generally actionable, while Low severity events help provide contextual information for incident investigations and policy violations.
TimeGenerated
Timestamp (in UTC) when the event was ingested in to Sentinel.
EventTime and TimeGenerated generally will refer to the same timestamp, unless when the event is ingested in Sentinel 3 days after it is generated on the device. In such cases, TimeGenerated will reflect when the event was ingested in to Sentinel.
Type
Each event is classified based on its domain; events are generally of type - application, audit, process, network, system, or user.
This also represents the custom table that is used to store the event data in Log Analytics workspace in Sentinel.
Version
Version number of the datasource that generated the event
Contextual Information
AccessibilityApi
Accessibility API name
Action
Action performed, either install or update
AdmPkgName
Admin package name
AdmUserId
User id of admin
ArpDevice
Android Recovery Partition
Atime
Access Time: Refers to the last time when a file was accessed
AvbBootPatchLevel
Latest security patch applied to the bootloader (AVB)
AvbBootState
Boot State in the Android Verified Boot (AVB)
AvbDeviceLocked
Device lock state in the AVB
AvbOsPatchLevel
OS Patch level associated with AVB
AvbOsVersion
OS version associated with AVB (device bootloader)
AvbVendorPatchLevel
Latest security patch applied to the vendor partition managed through AVB
AvbVerityMode
Use of dm-verity to verify the integrity of larger partitions, e.g., system and vendor partitions
BLBuildId
Bootloader QuickBuild id
BLBuildType
Bootloader build type (e.g., market/fac, User/Userdebug/Eng, Official/Custom)
BLBuildVersion
Bootloader build version
BLEvent
Bootloader event (previous download failure reason)
BLEventTarget
Bootloader event target (previous download failure binary)
BLMode
Bootloader mode
BLRP
Bootloader Recovery Partition (RP) count
CCModeState
Status of the device configuration in Common Criteria (CC) mode
CmdLine
Command Line: used to execute current process, including some argument given by the executor
ConfidenceScore
Probability of the event being malicious; value 1 indicates it’s malicious while 0 indicates it’s benign
Ctime
Change Time: Refers to the last time when a file’s metadata was modified
CustomCount
Number of times custom kernel is flashed/booted
Cwd
Current Working Directory: Directory path where current thread is referring to for finding resources
EDLCount
Emergency Download (EDL) mode: special boot mode that allows for forceful flashing of firmware
Egid
Effective GID: GID of a process during execution (Dynamically changeable unlike GID)
EmFuseHistory
History of fuse values when the device is in engineering mode
EmStatus
Status of the device when in Engineering Mode (EM)
EmTokens
Tokens associated when device is in Engineering Mode (EM)
Euid
Effective UID: UID of a process during execution (Dynamically changeable unlike UID)
EventDetectedTime
Actual time the event was detected
ExitCode
Result from execution of the process
FailureReason
Reason why a specific procedure failed, e.g., device wipe
FOTACount
Number of times the device has received firmware over-the-air (OTA) updates
FrpState
Status of the factory reset protection (FRP) feature
Fsgid
File System GID: Extra GID used for permission checks when accessing filesystem objects.
Fsgid is normally the same as the egid if setfsgid() is not called.
Fsuid
File System UID: Extra UID used for permission checks when accessing filesystem objects.
Fsuid is normally the same as the euid if setfsuid() is not called.
Gid
Group ID: Unique ID of a Group to which the user belongs to
ImgStatus
Boot image status
InetFamily (family)
Interface address family such as AF_INET (IPv4), AF_INET6 (IPv6) and others
InterfaceName
Identifies the network interface of a connection
Ja3Fingerprint
MD5-calculated hash value based on a list of specific fields in TLS packet
KernelBuildId
Kernel QuickBuild id
KernelBuildType
Kernel build type (e.g., market/fac, User/Userdebug/Eng, Official/Custom)
KernelRP
Kernel Recovery Partition (RP) count
KernelState
State of Kernel type binaries
KeyMask
Disabled keyguard feature mask.
Please refer to DevicePolicyManager.setKeyguardDisabledFeatures(ComponentName, int).
KGFuse
Value of Knox Guard fuse
KGState
Status of Knox Guard feature
MDMState
Status of MDM enabled on the device
Mtime
Modification Time: Refers to the last time when a file was modified
ODINCount
Number of times the device has entered ODIN mode
OwnerGid
Owner GID: The executable file owner’s GID
OwnerUid
Owner UID: The executable file owner’s UID
Path
File path where the current process’s executable file exists
Pid
Process ID: Unique ID of a process where the current thread belongs to
PkgName
App or package name associated with the security event
Ppid
Parent PID: Parent process’s PID
Protocol
Protocol to ensure secure network transmission between the two entities
RebootReason
Reason for device reboot
RemoteAddr
Identifies the destination address of a connection
RemotePort
Identifies the destination port of a connection
RestrictedPerms
Restricted permissions provided to the application on the device
RPMBState
Replay Protected Memory Block: state of protected memory to store data in an authenticated area
SecureBoot
Helps to verify authenticity and integrity of the software loaded during the boot process
Sgid
Saved GID: Special GID that allows a file to be executed with a group of the user who executes the file
SocketType
Identifies the type of socket
SourceAddr
Identifies the origin address of a connection
SourcePort
Identifies the origin port of a connection
Suid
Saved UID: Special UID that allows a file to be executed with owner permissions instead of current user perms
Syscall
System Call number related to current event
SystemRP
System Recovery Partition count
Tid
Thread ID: Unique ID of current thread
Uid
User ID: Unique ID of a user, which is assigned to the process.
*UserId or Uid is UNIX-like OS-based attribute
UnlockCount
Number of times bootloader is unlocked
Url
URL that the user or system encountered on device
UrlType
Code to indicate the type of URL encountered on device
UserId
Same as Uid
VbMetaType
State of vbmeta type (custom)
WbFuse
Value of the Warranty Bit fuse; indicates if the device has ever been booted in to an unapproved state
WbReason
Reason for the value associated with the Warranty Bit fuse
WbState
State of blowing Warranty fuse (warranty void)
On this page
Is this page helpful?