Vendor Message ID
The specific vendor log or event identifier for the log used to describe a type of event.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Vendor Message ID |
Client Console Short Name | Vendor Message ID |
Web Console Tab/Name | Vendor Message ID |
Elasticsearch Field Name | vendorMessageId |
Rule Builder Column Name | VMID |
Regex Pattern | <vmid> |
NetMon Name | Not applicable |
Field Relationships
- Vendor Information
- Threat Name
- Threat ID
Common Applications
Any device that generates predetermined message types or categories that are differentiated by a brief description or identification number.
Use Case
Correlating events.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Describes or identifies an event type
- Sometimes human readable
- Usually numeric
- Can be used for subrules
- Indexed field, do not use subrule tags when making subrules off VMID
- Not for Response Codes
- Not for Threat IDs (signatures)
- Not Event Record ID
Examples
- Windows Event Log Security
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{222222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>0</Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>
The Event ID number is the Vendor Message ID. Event Record ID is not Vendor Message ID. This describes the individual instance of a log.
- Cisco ASA
02 03 2015 08:37:17 1.1.1.1 <LOC3:NOTE> :Feb 03 08:37:17 PST: %ASA-session-5-302013: Built outbound TCP connection 1001222224 for outside:1.1.1.1/80 (1.1.1.1/80) to shr-web-prod:1.1.1.1/58291 (1.1.1.1/58291)
For Cisco ASA and Cisco products generally, this is where the identifier for the type of event is kept.
- FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=https://romaslcmp01.mayo.edu/event_stream/events_for_bot?ev_id\=609081 act=blocked cs6Label=channel cs6=GET THINGS dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.Angler
For FireEye Web MPS, and CEF messages generally, the type of event is described here in a human readable form.