Vendor-Related Metadata

When Stellar Cyber ingests data, some of the information is stored in standardized fields (example: srcip) within the Interflow record. The table below shows a set of the standard fields that you may find helpful for identifying vendor-specific data in the searches or queries that you build.

Metadata Field Purpose Examples
msg_origin.vendor

Vendor associated with the data

trendmicro

msg_origin.source Vendor's product name associated with the data trendmicro_cloudone
msg_origin.category

Overall data category

endpoint

msg_origin.processor.name

For connectors, this is the same as msg_origin.source

trendmicro_cloudone

msg_origin.processor.type

For connectors, this is always log_collector

log_collector

msg_class Sub-category of data applicable to multiple content types from a vendor

trendmicro_cloudone_computers

These metadata fields can be viewed in the JSON tab.

Vendor-Specific Data

In addition to standard metadata fields in the Interflow record, Stellar Cyber dynamically creates fields to store vendor-specific data. In earlier releases, these were created with their functional field name, so a search for the value would benefit from a compound query such as: msg_origin.source:gsuite AND actor.email:badguy@someco.com. Later releases have these fields nested under the vendor name, which simplifies searches - the previous example could be found using gsuite.actor.email:badguy@someco.com.

Example Interflow without vendor label Example Interflow with vendor label

To learn which fields may be useful for your queries, expand the Interflow details in views such as the Investigate | Threat Hunting Documents table. Locate the vendor name and note the fields. Repeat this with different Interflow rows, since Stellar Cyber does not typically create the fields if the incoming value is blank.