I am not sure if this is a mistake, or how it should be interpreted, but event_category_type can be found twice in the event attributes:
Name
Type
Description
Sample Value
event_category_type
string
A description of the event, which can help with categorization. If the vendor defines a category/grouping for its log. i.e. Zeek has a few category types for its many logs (network-protocols, network-observations, etc...). Example. sysmon event id 12 is EventType field is this.
network-protocols
event_category_type
string
If the event contains a category, then this it. i.e For the Windows Security channel, this could be something such as Audit object access. For Zeek conn.log, this would be network-protocols.
I am not sure if this is a mistake, or how it should be interpreted, but
event_category_type
can be found twice in the event attributes:network-protocols
Audit Object Access
https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/event.md?plain=1#L9-L10