Skip to main content
Skip table of contents

Vendor Message ID

The specific vendor log or event identifier for the log used to describe a type of event. 

Data Type




Client Console Full Name

Vendor Message ID

Client Console Short Name

Vendor Message ID

Web Console Tab/Name

Vendor Message ID

Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • Vendor Information
  • Threat Name
  • Threat ID

Common Applications

Any device that generates predetermined message types or categories that are differentiated by a brief description or identification number.

Use Case

Correlating events.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Describes or identifies an event type
  • Sometimes human readable
  • Usually numeric
  • Can be used for subrules
  • Indexed field, do not use subrule tags when making subrules off VMID
  • Not for Response Codes
  • Not for Threat IDs (signatures)
  • Not Event Record ID


  • Windows Event Log Security

<Event xmlns=''><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{222222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>0</Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi  </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>

The Event ID number is the Vendor Message ID. Event Record ID is not Vendor Message ID. This describes the individual instance of a log.

  • Cisco ASA

02 03 2015 08:37:17 <LOC3:NOTE> :Feb 03 08:37:17 PST: %ASA-session-5-302013: Built outbound TCP connection 1001222224 for outside: ( to shr-web-prod: (

For Cisco ASA and Cisco products generally, this is where the identifier for the type of event is kept.

  • FireEye Web MPS

02 01 2016 17:13:19 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS||IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src= cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst= cs5Label=cncHost cs5= dvchost= USABLDRRECFLOW01dvc= smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=\=609081 act=blocked cs6Label=channel cs6=GET THINGS dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.Angler

For FireEye Web MPS, and CEF messages generally, the type of event is described here in a human readable form.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.