-
The vendor fields are to capture data provided by source, as-is
-
The vendor fields are intended to capture information that is either used in the content we develop, or can be used to provide background on how a field such as
event_outcomewas defined
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
vendor_alert_severity
|
critical, high, medium, low | keyword | When the message is an alert this is the vendor-provided text description of the alert severity |
vendor_alert_severity_level
|
4, 3, 2, 1 | integer | When the message is an alert this is the vendor-provided numeric value for the alert severity |
vendor_authentication_provider
|
Active Directory | keyword | Vendor defined action - Quick description of the service providing credential validation |
vendor_credential_type
|
password, token | keyword | Vendor-defined credential type |
vendor_event_action
|
allow, deny, pass, fail | keyword | Vendor defined action - this should be a short, typically one-word, description of what action the event is describing. The value is to be used verbatim, including case, from the source log. |
vendor_event_category
|
Removable Media, Registry, File System | keyword | Vendor defined category of an event |
vendor_event_description
|
keyword | Vendor defined description of the action with more detail than is included in vendor_event_action |
|
vendor_event_outcome
|
block, drop, report, allow, reject | keyword | Vendor-defined result of the action defined in the message |
vendor_event_outcome_reason
|
keyword | Vendor-provided text detailing the reason for the vendor-provided action and/or outcome the message is describing | |
vendor_event_severity
|
critical, high, medium, low, informational | keyword | Vendor-defined text description of the severity rating |
vendor_event_severity_level
|
0, 1, 5, 10 | integer | Vendor-defined numeric severity rating for this event |
vendor_private_ip
|
ip | ||
vendor_private_ipv6
|
ip | ||
vendor_public_ip
|
ip | ||
vendor_public_ipv6
|
ip | ||
vendor_signin_protocol
|
keyword | ||
vendor_subtype
|
ids, dnsmasq, kernel, threat | keyword | Vendor-defined subtype of log - this differs from event_log_name as it refers more to the subject or category of log message. |
vendor_threat_suspected
|
keyword | ||
vendor_transaction_id
|
keyword | ||
vendor_transaction_type
|
keyword | ||
vendor_user_type
|
keyword |
