Variables are used to derive values from events, assets, and other resources (for example, a target IP address in an attack event, the MAC address or zone of a vulnerable asset, the timestamps on a user login session, entries in a hot list, and so forth).
You can use variables to create and tune Active Channels, Filters, Reports, Rules, Field Sets, and Data Monitors, or to expose more information, such as in report or grid view columns. The editors for these tools each include a Variables tab on which to add, edit, or remove variables.
Once created, variables appear in the Common Conditions Editor (CCE) as additional fields on the Filters or Conditions tabs; in Group By arguments for data monitors and rules; and in Select, Group By, and Order By fields for queries. In the Field Set Editor, variables are an additional category that appears once variables are defined.
Variables are especially useful for situational-awareness applications such as reporting on attacks by division, or for compliance monitoring as in reporting the number of compromise events directed at Sarbanes-Oxley related devices.
Asset-category variables are based on the relevant resource ID of the modeled network asset (device). Timestamp variables are based on the start, end, or receipt times recorded by SmartConnectors, Managers, or devices.