Vendor Info [7.2]
Description of specific vendor log or event identifier for the log. Human readable elaboration that directly correlates to the VMID.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Not applicable |
Client Console Short Name | Not applicable |
Web Console Tab/Name | Vendor Info |
Elasticsearch Field Name | vendorInfo |
Rule Builder Column Name | VendorInfo |
Regex Pattern | <vendorinfo> |
NetMon Name | Not applicable |
Field Relationships
- VMID
- Subject
Common Applications
Any device that generates predetermined message types or categories that are differentiated by a brief description or identification number.
Use Case
Understanding VMID for correlating events without depending on the rule name, common event/classification.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- To be used when VMID is present.
- To be used rarely when VMID is not present.
- Capturing long event descriptions such as a sentence.
- Not for subrules.
Examples
- Windows Event Log Security
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4663</EventID><Version>0</Version><Level>Information</Level><Task>Kernel Object</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2009-07-07T23:24:49.212Z'/><EventRecordID>451107</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='88'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData>An attempt was made to access an object.
Subject:
Security ID: USABLDRRECFLOW01\Administrator
Account Name: Administrator
Account Domain: USABLDRRECFLOW01
Logon ID: 0x2a9fe
Object:
Object Server: Security
Object Type: SymbolicLink
Object Name: \GLOBAL??\C:
Handle ID: 0x3c0
Process Information:
Process ID: 0x8d0
Process Name: C:\Windows\Host10
Access Request Information:
Accesses: Use symbolic link
Access Mask: 0x1</EventData></Event>
Describes in human readable form what the event ID (VMID) translates to.
- CyberArk Privileged Threat Analytics
CEF:0|CyberArk|PTA|3.1|21|Suspected credentials theft|9|duser=pete.store dst= USABLDRRECFLOW01cs2Label=eventID cs2=5b720c983420f5222222d deviceCustomDate1Label=detectionDate deviceCustomDate1=1422836202000 cs3Label=link cs3=https://1.1.1.1/incidents/5b722222224979d
Suspected Credentials Theft describes VMID 21.