Vendor Fields

  • The vendor fields are to capture data provided by source, as-is
  • The vendor fields are intended to capture information that is either used in the content we develop, or can be used to provide background on how a field such as event_outcome was defined
Vendor Fields
Field Name Example Values Field Type Notes
vendor_alert_severity critical, high, medium, low keyword When the message is an alert this is the vendor-provided text description of the alert severity
vendor_alert_severity_level 4, 3, 2, 1 integer When the message is an alert this is the vendor-provided numeric value for the alert severity
vendor_authentication_provider Active Directory keyword Vendor defined action - Quick description of the service providing credential validation
vendor_credential_type password, token keyword Vendor-defined credential type
vendor_event_action allow, deny, pass, fail keyword Vendor defined action - this should be a short, typically one-word, description of what action the event is describing. The value is to be used verbatim, including case, from the source log.
vendor_event_category Removable Media, Registry, File System keyword Vendor defined category of an event
vendor_event_description   keyword Vendor defined description of the action with more detail than is included in vendor_event_action
vendor_event_outcome block, drop, report, allow, reject keyword Vendor-defined result of the action defined in the message
vendor_event_outcome_reason   keyword Vendor-provided text detailing the reason for the vendor-provided action and/or outcome the message is describing
vendor_event_severity critical, high, medium, low, informational keyword Vendor-defined text description of the severity rating
vendor_event_severity_level 0, 1, 5, 10 integer Vendor-defined numeric severity rating for this event
vendor_private_ip   ip  
vendor_private_ipv6   ip  
vendor_public_ip   ip  
vendor_public_ipv6   ip  
vendor_signin_protocol   keyword  
vendor_subtype ids, dnsmasq, kernel, threat keyword Vendor-defined subtype of log - this differs from event_log_name as it refers more to the subject or category of log message.
vendor_threat_suspected   keyword  
vendor_transaction_id   keyword  
vendor_transaction_type   keyword  
vendor_user_type   keyword