All: we are beginning a comprehensive schema review and will be posting
some of our questions here for discussion. Feel free to contribute your
ideas and comments.

Question 1: The Sentinel Event Schema does not currently have a field
or fields to contain the MAC (Media Access Control) address of standard
network interfaces; these values are commonly reported for certain types
of routing events and DHCP address assignment events.

Do you think we should include MAC addresses in our base schema, and if
so, which ones?

- InitiatorMAC (the host that caused an activity to occur)
- TargetMAC (the host that was the target of some activity)
- ObserverMAC (the host that detected and reported the activity)

DCorlette's Profile:
View this thread: