docs: update definition according to what's implemented [skip ci] (#492)

defenxor · Feb 16, 2024 · 6ffccf1 · 6ffccf1
1 parent 8e4eb31
commit 6ffccf1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/docs/dsiem_plugin.md b/docs/dsiem_plugin.md
@@ -17,9 +17,9 @@ The following table shows the fields of a `Normalized Event`:
 | protocol |  Network protocol used, such as TCP, UDP, ICMP, etc. | No | Yes
 | src_port | Source port number, typically refers to TCP or UDP ports, but may also be any identifying number like ICMP type number, etc. | No | Yes
 | dst_port | Source port number, typically refers to TCP or UDP ports, but may also be any identifying number like ICMP type number, etc. |  No | Yes
-| product | Product-type of the device that generates the event, i.e. firewall, IDS/IPS, etc. | Yes | Yes, in [TaxonomyRule](./directive_and_alarm.md#about-directive-rules)
+| product | Product-type of the device that generates the event, i.e. firewall, IDS/IPS, etc. | Yes, if `plugin_id` or `plugin_sid` is empty | Yes, in [TaxonomyRule](./directive_and_alarm.md#about-directive-rules)
 | category | The event's category, relative to the product type. For example, if the product type is firewall, event's category maybe `Allowed Traffic`,`Denied Traffic`, `Dropped Traffic`, `Port Scan` etc. | Yes, if `plugin_id` or `plugin_sid` is empty | Yes, in [TaxonomyRule](./directive_and_alarm.md#about-directive-rules)
-| subcategory |  further breakdown of the event's category. For example, if the category is `Code Injection Attack`, subcategory maybe `SQL Injection`, `HTTP Parameter Injection`, etc. | Yes, if `plugin_id` or `plugin_sid` is empty | Yes, in [TaxonomyRule](./directive_and_alarm.md#about-directive-rules)
+| subcategory |  further breakdown of the event's category. For example, if the category is `Code Injection Attack`, subcategory maybe `SQL Injection`, `HTTP Parameter Injection`, etc. | No | Yes, in [TaxonomyRule](./directive_and_alarm.md#about-directive-rules)
 | plugin_id | A unique number that identifies the plugin. For example, `1001` for Suricata eve.json based events as used in Dsiem default config (`1001` is also used in OSSIM by default for Suricata UnifiedThreat logs)  | Yes, if `product` or `category` is empty | Yes, in [PluginRule](./directive_and_alarm.md#about-directive-rules)
 | plugin_sid |  A unique number that identifies the event *within* the plugin. |Yes, if `product` or `category` is empty | Yes, in [PluginRule](./directive_and_alarm.md#about-directive-rules)
 | custom_label1 | A text identifier for an extra/custom field to use for correlation rules. | No | No