Vendor Fields

  • The vendor fields are to capture data provided by source, as-is
  • The vendor fields are intended to capture information that is either used in the content we develop, or can be used to provide background on how a field such as event_outcome was defined
Vendor Fields
Field Name Example Values Field Type Notes
vendor_alert_severity high, medium, low keyword When the message is an alert this is the vendor-provided text description of the alert severity
vendor_alert_severity_level 0, 1, 2 integer When the message is an alert this is the vendor-provided numeric value for the alert severity
vendor_authentication_provider Where authentication was used against, Active Directory, SSO etc keyword Vendor defined action - Quick description of the auth source
vendor_credential_type   keyword Vendor-defined credential type - Password, Token, etc.
vendor_event_action Including, but not limited to: allow, deny, pass, fail keyword Vendor defined action - this should be a short, typically one-word, description of what action the event id describing
vendor_event_description   keyword Vendor defined description of the action with more detail than is included in event_vendor_action
vendor_event_outcome   keyword Vendor-defined result of the action defined in the message
vendor_event_outcome_reason   keyword Vendor-provided text detailing the reason for the vendor-provided outcome
vendor_event_severity   keyword Vendor-defined text description of the severity rating
vendor_event_severity_level   integer Vendor-defined numeric severity rating for this event
vendor_private_ip   ip  
vendor_private_ipv6   ip  
vendor_public_ip   ip  
vendor_public_ipv6   ip  
vendor_signin_protocol   keyword  
vendor_threat_suspected   keyword  
vendor_transaction_id   keyword  
vendor_transaction_type   keyword  
vendor_user_type   keyword