Vendor Fields
Overview
The vendor fields describe information supplied directly by a product or technology that generated the event. They represent classifications, outcomes, severities, identifiers, and other attributes defined by the originating system to convey context specific to its internal logic or actions. The entity provides a normalized structure for referencing vendor-specific metadata while maintaining consistency across heterogeneous event sources.
Design and Usage
The vendor entity models conceptual properties that originate from a product's own terminology or evaluation processes. Its fields capture descriptive labels, severity ratings, categorizations, and identifiers that reflect how the originating system characterizes the activity being reported. The vendor_* fields generally preserve the values provided by the originating system to maintain fidelity with the source data. Normalized fields elsewhere in the schema may represent interpreted or standardized forms of these values, while the vendor_* fields retain the product-defined representations used by the event source.
Common Use Cases
- Preserving vendor-defined descriptions and severity indicators to provide context for alerts and system-generated outcomes
- Enriching normalized event fields with additional detail that reflects the originating product's internal classification or decision logic
- Supporting investigations and analytics that incorporate both normalized and vendor-specific terminology
Implementation Notes
As a top-level entity, vendor represents metadata defined by the originating system and should retain its native values for clarity. The fields within this entity are intended to capture product-specific descriptions without altering their wording or meaning. In cases where source values must be transformed into a standardized format for consistent representation, the transformed form should preserve the conceptual meaning of the original data. If a related normalized field exists elsewhere in the schema, the vendor fields may provide complementary detail that maintains fidelity with the source system's semantics.
| field | field_type | description | example_values |
|---|---|---|---|
|
vendor_alert_severity |
keyword |
Vendor-defined textual indicator representing the severity of an alert. |
critical, high, medium, low |
|
vendor_alert_severity_level |
integer |
Vendor-defined numeric value representing the severity level of an alert. |
4, 3, 2, 1 |
|
vendor_authentication_provider |
keyword |
Vendor-defined value indicating the system or service responsible for validating credentials. |
Active Directory |
|
vendor_credential_type |
keyword |
Type of credential identified by the originating system. |
password, token |
|
vendor_event_action |
keyword |
Vendor-defined label describing the action or behavior represented by the event. |
allow, deny, pass, fail |
|
vendor_event_category |
keyword |
Category assigned by the originating system to classify the event. |
Removable Media, Registry, File System |
|
vendor_event_description |
keyword |
Vendor-defined descriptive text that provides additional detail about the event action. |
|
|
vendor_event_outcome |
keyword |
Vendor-defined result associated with the action recorded in the event. |
block, drop, report, allow, reject |
|
vendor_event_outcome_reason |
keyword |
Vendor-provided text describing the reason for the reported action or outcome. |
|
|
vendor_event_severity |
keyword |
Vendor-defined textual severity rating for the event. |
critical, high, medium, low, informational |
|
vendor_event_severity_level |
integer |
Vendor-defined numeric severity rating for the event. |
0, 1, 5, 10 |
|
vendor_event_timestamp |
date |
Date and time of the event as defined by the originating system, represented in a standardized date-time format. |
2024-10-03T07:38:31.407Z |
|
vendor_private_ip |
ip |
Private network address reported by the originating system. |
|
|
vendor_private_ipv6 |
ip |
Private IPv6 address reported by the originating system. |
|
|
vendor_public_ip |
ip |
Public network address reported by the originating system. |
|
|
vendor_public_ipv6 |
ip |
Public IPv6 address reported by the originating system. |
|
|
vendor_signin_protocol |
keyword |
Authentication or sign-in protocol identified by the originating system. |
|
|
vendor_subtype |
keyword |
Vendor-defined subtype that characterizes the specific category or subject of the log message. |
ids, dnsmasq, kernel, threat |
|
vendor_threat_suspected |
keyword |
Indicator representing whether the originating system suspects a threat. |
|
|
vendor_transaction_id |
keyword |
Identifier assigned by the originating system to represent a specific transaction or operation. |
|
|
vendor_transaction_type |
keyword |
Type of transaction or operation as defined by the originating system. |
|
|
vendor_user_type |
keyword |
Classification of the user as defined by the originating system. |
