| vendor_alert_severity |
critical, high, medium, low |
keyword |
When the message is an alert this is the vendor-provided text description of the alert severity |
| vendor_alert_severity_level |
4, 3, 2, 1 |
integer |
When the message is an alert this is the vendor-provided numeric value for the alert severity |
| vendor_authentication_provider |
Active Directory |
keyword |
Vendor defined action - Quick description of the service providing credential validation |
| vendor_credential_type |
password, token |
keyword |
Vendor-defined credential type |
| vendor_event_action |
allow, deny, pass, fail |
keyword |
Vendor defined action - this should be a short, typically one-word, description of what action the event is describing |
| vendor_event_category |
Removable Media, Registry, File System |
keyword |
Vendor defined category of an event |
| vendor_event_description |
|
keyword |
Vendor defined description of the action with more detail than is included in vendor_event_action |
| vendor_event_outcome |
block, drop, report, allow, reject |
keyword |
Vendor-defined result of the action defined in the message |
| vendor_event_outcome_reason |
|
keyword |
Vendor-provided text detailing the reason for the vendor-provided action and/or outcome the message is describing |
| vendor_event_severity |
critical, high, medium, low, informational |
keyword |
Vendor-defined text description of the severity rating |
| vendor_event_severity_level |
0, 1, 5, 10 |
integer |
Vendor-defined numeric severity rating for this event |
| vendor_private_ip |
|
ip |
|
| vendor_private_ipv6 |
|
ip |
|
| vendor_public_ip |
|
ip |
|
| vendor_public_ipv6 |
|
ip |
|
| vendor_signin_protocol |
|
keyword |
|
| vendor_threat_suspected |
|
keyword |
|
| vendor_transaction_id |
|
keyword |
|
| vendor_transaction_type |
|
keyword |
|
| vendor_user_type |
|
keyword |
|