Source Fields
Overview
The source fields describe the originating system, device, or network endpoint associated with an event. They represent identifying and network-related attributes that characterize where an action, connection, or message was initiated. The entity provides a consistent structure for referencing source-side information across heterogeneous platforms and event types.
The source fields have the prefix source_ and describe the originating system or endpoint involved in the event. They are conceptually distinct from the top-level event field named source that may represent the system responsible for sending or forwarding the log message.
Design and Usage
The source entity models conceptual properties of the system or endpoint responsible for originating activity described in an event. Its fields capture device identifiers, network addresses, operating system metadata, and other attributes commonly associated with source context. As a top-level entity, source supports reliable correlation and normalization across diverse logging formats and network environments.
Common Use Cases
- Associating activity with the device or endpoint that initiated a network connection or system action
- Normalizing heterogeneous source identifiers for use in detections, analytics, and investigative workflows
- Tracking attributes of originating systems to support behavioral baselining, asset classification, and forensic analysis
Implementation Notes
As a top-level entity, source represents the complete object describing the originating system or endpoint. Its fields should remain platform-neutral and consistently applied to preserve clarity across event types. If related entities such as destination or network are implied but not explicitly defined, corresponding fields may be included to clarify event semantics and maintain relational integrity.
| field | field_type | description | example_values |
|---|---|---|---|
|
source_bytes_sent |
long |
Amount of network data transmitted from the source, measured in bytes. |
29834710 |
|
source_device_model |
keyword |
Model designation of the source device. |
iPad |
|
source_device_vendor |
keyword |
Manufacturer associated with the source device. |
Apple, ASUS |
|
source_hostname |
keyword/lowercase |
Hostname of the source system, represented in lowercase. |
corpdc01, corpdc01.local, lab01.corpdomain.com |
|
source_id |
keyword |
Identifier associated with the source device, such as a serial or hardware ID. |
09VX93DD |
|
source_ip |
ip |
IPv4 or IPv6 address assigned to the source. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
source_ipv6 |
ip |
IPv6 address assigned to the source. |
fe80:5cc3:11:4::2c |
|
source_nat_ip |
ip |
Translated IP address assigned to the source by a network address translation mechanism. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
source_nat_port |
integer |
Translated network port assigned to the source by a network address translation mechanism. |
2384 |
|
source_os_name |
keyword |
Name of the operating system running on the source device. |
IOS, Android |
|
source_os_version |
keyword |
Version value associated with the operating system of the source. |
IOS 10.0 |
|
source_packets_sent |
long |
Number of network packets transmitted from the source. |
23094823 |
|
source_port |
integer |
Network port used by the source, represented as a value between 0 and 65535. |
45392 |
|
source_port_iana_name |
keyword |
IANA-registered service name associated with the source port. |
ssh, ftp |
|
source_region |
keyword |
Geographic or cloud region associated with the source device. |
us-east-1 |
|
source_type |
keyword |
Type or classification of the source device. |
|
|
source_vm_name |
keyword |
Name of the virtual system associated with the source device. |
|
|
source_vsys_uuid |
keyword |
Unique identifier associated with the source virtual system. |
