HPESecurity ArcSight CommonEvent Format - secef.net · HPESecurity ArcSight CommonEvent Format Implementing ArcSight Common Event Format CEF) Version 23 May16,2016

HPE Security ArcSight Common EventFormat

Implementing ArcSight Common Event Format CEF)Version 23

May 16, 2016

Legal Notices

WarrantyThe only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

The network information used in the examples in this document (including IP addresses and hostnames) is for illustrationpurposes only.

HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, andconfidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good securitypractices.

This document is confidential.

Restricted Rights LegendConfidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying.Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and TechnicalData for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice© Copyright 2016 Hewlett Packard Enterprise Development, LP

Follow this link to see a complete statement of copyrights and acknowledgements:https://www.protect724.hpe.com/docs/DOC-13026

Support

Phone A list of phone numbers is available on the HPE Security ArcSight TechnicalSupport Page: https://softwaresupport.hp.com/documents/10180/14684/esp-support-contact-list

Support Web Site https://softwaresupport.hp.com

Protect 724 Community https://www.protect724.hpe.com

Contact Information

Implementing ArcSight Common Event Format (CEF)

HPE Common Event Format May 16, 2016 Page 2 of 39

https://www.protect724.hpe.com/docs/DOC-13026

https://softwaresupport.hp.com/documents/10180/14684/esp-support-contact-list

https://softwaresupport.hp.com/documents/10180/14684/esp-support-contact-list

https://softwaresupport.hp.com/

https://www.protect724.hpe.com/welcome

Contents

Chapter 1: What is CEF? 5

The Case for ArcSight CEF 5CEF Certification 5

CEF Implementation 6Header Information 6Using CEF Without Syslog 6Header Field Definitions 7The Extension Field 7Character Encoding 7

Chapter 2: ArcSight Extension Dictionary 9

CEF Key Names For Event Producers 9

CEF Key Names For Event Consumers 30

Chapter 3: Special Mappings 34

Firewall 34

Anti-Virus 34

Email 34

Wireless 35

IPv6 Format 35

Chapter 4: User-Defined Extensions 36

CustomExtension Naming Guidelines 36Format 36Requirements 36

Limitations of CustomExtensions 36Limitations Affecting ArcSight ESM 37

Limitations Affecting ArcSight Logger 37

Appendix A: Date Formats 38

Send Documentation Feedback 39


Page 4 of 39HPE Common Event Format May 16, 2016

Implementing ArcSight Common Event Format (CEF)

Chapter 1: What is CEF?CEF is an extensible, text-based format designed to support multiple device types by offerring the mostrelevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEFdefines a syntax for log records comprised of a standard header and a variable extension, formatted askey-value pairs. The CEF format can be used with on-premise devices by implementing the ArcSightSyslog SmartConnector. CEF can also be used by cloud-based service providers by implementing theSmartConnector for ArcSight Common Event Format REST.

Note: This guide describes ArcSight CEF standard only, and does not include descriptions of fieldsor schemas related to ArcSight products, such as the ArcSight Manager, ArcSight Logger, orArcSight SmartConnectors. If you need that type of information, Contact Customer Support.

The Case for ArcSight CEFThe central problem of any security information and event management (SIEM) environment isintegration. Device vendors each have their own format for reporting event information, and suchdiversity can make customer site integration time consuming and expensive. The Common EventFormat (CEF) standard format, developed by ArcSight, enables vendors and their customers to quicklyintegrate their product information into ESM.

The CEF standard format is an open log management standard that simplifies log management. CEFallows third parties to create their own device schemas that are compatible with a standard that is usedindustry-wide for normalizing security events. Technology companies and customers can use thestandardized CEF format to facilitate data collection and aggregation, for later analysis by an enterprisemanagement system.

CEF CertificationThe Enterprise Security Products Technology Alliance Program assists technology companies that wantto adopt, test, and certify their compatibility with the CEF standard and by extension ArcSightinteroperability. The CEF Technology Alliance Programprovides a process that includesdocumentation, event categorization assistance, technical and marketing support along with access to ahosted ArcSight ESM solution for testing. For more information, see the HP Enterprise SecurityProducts Technology Alliance ProgramGuide on Protect724.


CEF ImplementationThis document defines the CEF protocol and provides details on how to implement the standard. Itdetails the header and predefined extensions used within the standard, as well as how to create user-defined extensions. It also includes a list of CEF supported date formats.

Header InformationCEF uses syslog as a transport mechanism. It uses the following format, comprised of a syslogprefix, a header and an extension, as shown below:

Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|DeviceVersion|Device Event Class ID|Name|Severity|[Extension]

The CEF:Version portion of the message is a mandatory header. The remainder of the message isformatted using fields delimited by a pipe ("|") character. All of these remaining fields should be presentand are defined under "Header Field Definitions" on the next page".

The extension portion of the message is a placeholder for additional fields, but is not mandatory. Anyadditional fields are logged as key-value pairs. See "ArcSight Extension Dictionary" on page 9 for a tableof definitions.

The following example illustrates a CEF message using Syslog transport:

Sep 19 08:26:10 host CEF:0|Security|threatmanager|1.0|100|worm successfullystopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232

Using CEF Without SyslogSyslog applies a syslog prefix to each message, no matter which device it arrives from, that contains thedate and hostname, as shown below.

Jan 18 11:07:53 host CEF:Version|…

However, if an event producer is unable to write syslog messages, it is still possible to write the events toa file.

To do so:

1. Omit the syslog prefix (Jan 18 11:07:53 host).

2. Begin the message with the format shown below:

CEF:Version|Device Vendor|Device Product|Device Version|Device Event ClassID|Name|Severity|[Extension]

Implementing ArcSight Common Event Format (CEF)Chapter 1: What is CEF?


Header Field Definitions

Version is an integer and identifies the version of the CEF format. Event consumers use thisinformation to determine what the following fields represent. The current CEF version is 0 (CEF:0).

Device Vendor, Device Product and Device Version are strings that uniquely identify the type ofsending device. No two products may use the same device-vendor and device-product pair. There is nocentral authority managing these pairs. Event producers must ensure that they assign unique namepairs.

Device Event Class ID is a unique identifier per event-type. This can be a string or an integer. DeviceEvent Class ID identifies the type of event reported. In the intrusion detection system (IDS) world, eachsignature or rule that detects certain activity has a unique Device Event Class ID assigned. This is arequirement for other types of devices as well, and helps correlation engines process the events. Alsoknown as Signature ID.

Name is a string representing a human-readable and understandable description of the event. Theevent name should not contain information that is specifically mentioned in other fields. For example:"Port scan from 10.0.0.1 targeting 20.1.1.1" is not a good event name. It should be: "Port scan". The otherinformation is redundant and can be picked up from the other fields.

Severity is a string or integer and reflects the importance of the event. The valid string values areUnknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High.

The Extension Field

The Extension field contains a collection of key-value pairs. The keys are part of a predefined set. Thestandard allows for including additional keys as outlined in "ArcSight Extension Dictionary" on page 9.An event can contain any number of key-value pairs in any order, separated by spaces (" "). If a fieldcontains a space, such as a file name, this is valid and can be logged in exactly that manner, as shownbelow:

filePath=/user/username/dir/my file name.txt

Note: If there are multiple spaces before a key, all spaces but the last space are treated as trailingspaces in the prior value in the key. If you need trailing spaces, use multiple spaces, otherwise, useone space between the end of a value and the start of the following key.

Character Encoding

Because CEF uses the UTF-8 Unicode encoding method, certain symbols must use character encoding.Within this context, character encoding specifies how to represent characters that could be



misinterpreted within the schema.

Note the following when encoding symbols in CEF:

l The entire message should be UTF-8 encoded.

l Spaces used in the header are valid. Do not encode a space character by using <space>.

l If a pipe (|) is used in the header, it has to be escaped with a backslash (\). But note that pipes in theextension do not need escaping. For example:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \| inmessage|10|src=10.0.0.1 act=blocked a | dst=1.1.1.1

l If a backslash (\) is used in the header or the extension, it has to be escaped with another backslash(\). For example:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\ inpacket|10|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1

l If an equal sign (=) is used in the extensions, it has to be escaped with a backslash (\). Equal signs inthe header need no escaping. For example:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a = inmessage|10|src=10.0.0.1 act=blocked a \= dst=1.1.1.1

l Multi-line fields can be sent by CEF by encoding the newline character as \n or \r. Note that multiplelines are only allowed in the value part of the extensions. For example:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected athreat. No action needed.|10|src=10.0.0.1 msg=Detected a threat.\n Noaction needed.



Chapter 2: ArcSight Extension DictionaryThe tables below, CEF Key Names For Event Producers and CEF Key Names for Event Consumers, listpredefined names that establish usages for both event producers and event consumers. While the fieldslisted in both tables are useful event consumers, the fields listed in CEF Key Names for Event Consumersshould not be set by event producers.

CEF Key Names For Event ProducersThis table displays the CEF names along with the full names for each name. When sending events, theCEF key name is the proper form to use; using the full name to send an event will fail.

CEF Key Name Full Name Data Type Length Meaning

act deviceAction String 63 Action taken by thedevice

app applicationProtocol String 31 Application level protocol,example values are:HTTP, HTTPS, SSHv2,Telnet, POP, IMAP,IMAPS, etc.

c6a1 deviceCustomIPv6Address1

IPv6address

One of four IPV6 addressfields available to mapfields that do not apply toany other in thisdictionary.

Tip: Please reference theguidelines under "User-Defined Extensions" onpage 36 for tips on usingthese fields.

c6a1Label deviceCustomIPv6Address1Label

String 1023 All custom fields have acorresponding label field.Each of these fields is astring and describes thepurpose of the custom

CEF Key Names For Event Producers



field.


IPv6address




String 1023 All custom fields have acorresponding label field.Each of these fields is astring and describes thepurpose of the customfield.


IPv6address






IPv6address

One of four IPV6 addressfields available to map

CEF Key Names For Event Producers, continued

Implementing ArcSight Common Event Format (CEF)Chapter 2: ArcSight Extension Dictionary



fields that do not apply toany other in thisdictionary.




cfp1 deviceCustomFloatingPoint1

FloatingPoint

One of four floating pointfields available to mapfields that do not apply toany other in thisdictionary.

cfp1Label deviceCustomFloatingPoint1Label



FloatingPoint









FloatingPoint





FloatingPoint




cn1 deviceCustomNumber1

Long One of three numberfields available to mapfields that do not apply toany other in thisdictionary. Use sparinglyand seek a more specific,dictionary supplied fieldwhen possible.

cn1Label deviceCustomNumber1Label

String 1023 All custom fields have acorresponding label fieldwhere the field itself canbe described. Each of thefields is a string describingthe purpose of this field.













cnt baseEventCount Integer A count associated withthis event. How manytimes was this same eventobserved? Count can beomitted if it is 1.

cs1 deviceCustomString1 String 4000 One of six stringsavailable to map fieldsthat do not apply to any





other in this dictionary.Use sparingly and seek amore specific, dictionarysupplied field whenpossible.


cs1Label deviceCustomString1Label String 1023 All custom fields have acorresponding label fieldwhere the field itself canbe described. Each of thefields is a string describingthe purpose of this field.

cs2 deviceCustomString2 String 4000 One of six stringsavailable to map fieldsthat do not apply to anyother in this dictionary.Use sparingly and seek amore specific, dictionarysupplied field whenpossible.



cs3 deviceCustomString3 String 4000 One of six strings





available to map fieldsthat do not apply to anyother in this dictionary.Use sparingly and seek amore specific, dictionarysupplied field whenpossible.















cs6Label deviceCustomString6Label String 1023 All custom fields have acorresponding label fieldwhere the field itself canbe described. Each of thefields is a string describing





the purpose of this field.

destinationDnsDomain

destinationDnsDomain

String 255 The DNS domain part ofthe complete fullyqualified domain name(FQDN).

destinationServiceName

destinationServiceName

String 1023 The service targeted bythis event. Example:

"sshd"

destinationTranslatedAddress

destinationTranslatedAddress

IPv4Address

Identifies the translateddestination that the eventrefers to in an IP network.The format is an IPv4address.

Example:

"192.168.10.1"

destinationTranslatedPort

destinationTranslatedPort Integer Port after it wastranslated; for example, afirewall. Valid portnumbers are 0 to 65535.

deviceCustomDate1

deviceCustomDate1 TimeStamp One of two timestampfields available to mapfields that do not apply toany other in thisdictionary. Use sparinglyand seek a more specific,dictionary supplied fieldwhen possible.


device deviceCustomDate1 String 1023 All custom fields have a





CustomDate1Label

Label corresponding label field.Each of these fields is astring and describes thepurpose of the customfield.

deviceCustomDate2

deviceCustomDate2 TimeStamp One of two timestampfields available to mapfields that do not apply toany other in thisdictionary. Use sparinglyand seek a more specific,dictionary supplied fieldwhen possible.


deviceCustomDate2Label

deviceCustomDate2Label


deviceDirection

deviceDirection Integer Any information aboutwhat direction theobserved communicationhas taken. The followingvalues are supported:

“0” for inbound or “1” foroutbound

deviceDnsDomain

deviceDnsDomain String 255 The DNS domain part ofthe complete fullyqualified domain name(FQDN).





deviceExternalId

deviceExternalId String 255 A name that uniquelyidentifies the devicegenerating this event.

deviceFacility

deviceFacility String 1023 The facility generatingthis event. For example,Syslog has an explicitfacility associated withevery event.

deviceInboundInterface

deviceInboundInterface

String 128 Interface on which thepacket or data enteredthe device.

deviceNtDomain

deviceNtDomain String 255 The Windows domainname of the deviceaddress.

deviceOutboundInterface

deviceOutboundInterface

String 128 Interface on which thepacket or data left thedevice.

devicePayloadId

devicePayloadId String 128 Unique identifier for thepayload associated withthe event.

deviceProcessName

deviceProcessName String 1023 Process name associatedwith the event. Anexample might be theprocess generating thesyslog entry in UNIX.

deviceTranslatedAddress

deviceTranslatedAddress

IPv4Address

Identifies the translateddevice address that theevent refers to in an IPnetwork. The format is an

IPv4 address. Example:

"192.168.10.1"

dhost destinationHostName String 1023 Identifies the destinationthat an event refers to in





an IP network. The formatshould be a fully qualifieddomain name associatedwith the destination node,when a node is available(FQDN).

Examples:"host.domain.com" or"host".

dmac destinationMacAddress

MACAddress

Six colon-separatedhexadecimal numbers.Example:"00:0D:60:AF:1B:61"

dntdom destinationNtDomain String 255 The Windows domainname of the destinationaddress.

dpid destinationProcessId Integer Provides the ID of thedestination processassociated with the event.For example, if an eventcontains process ID 105,"105" is the process ID.

dpriv destinationUserPrivileges

String 1023 The typical values are:"Administrator", "User",and "Guest". Thisidentifies the destinationuser's privileges. In UNIX,for example, activityexecuted on the root userwould be identified withdestinationUserPrivilegesof "Administrator".

dproc destinationProcessName

String 1023 The name of the event'sdestination process.

Example:





"telnetd", or "sshd".

dpt destinationPort Integer The valid port numbersare between 0 and 65535.

dst destinationAddress IPv4Address

Identifies the destinationaddress that the eventrefers to in an IP network.The format is an IPv4address.

Example:

"192.168.10.1"

dtz deviceTimeZone String 255 The timezone for thedevice generating theevent.

duid destinationUserId String 1023 Identifies the destinationuser by ID. For example, inUNIX, the root user isgenerally associated withuser ID 0.

duser destinationUserName String 1023 Identifies the destinationuser by name. This is theuser associated with theevent's destination. Emailaddresses are oftenmapped into theUserName fields. Therecipient is a candidate toput intodestinationUserName.

dvc deviceAddress IPV4Address

Identifies the deviceaddress that an eventrefers to in an IP network.The format is an IPv4address.

Example:





"192.168.10.1"

dvchost deviceHostName String 100 The format should be afully qualified domainname associated with thedevice node, when a nodeis available (FQDN).Examples:"host.domain.com" or"host".

dvcmac deviceMacAddress MACAddress

Six colon-separatedhexadecimal numbers.

Example:

"00:0D:60:AF:1B:61"

dvcpid deviceProcessId Integer Provides the ID of theprocess on the devicegenerating the event.

end endTime TimeStamp

The time at which theactivity related to theevent ended. The formatis MMM dd yyyyHH:mm:ss or millisecondssince epoch (Jan 1st 1970).An example would bereporting the end of asession.

externalId externalId String 40 The ID used by anoriginating device. Theyare usually increasingnumbers, associated withevents.

fileCreateTime

fileCreateTime TimeStamp

Time when the file wascreated.

fileHash fileHash String 255 Hash of a file.





fileId fileId String 1023 An ID associated with afile could be the inode.

fileModificationTime

fileModificationTime TimeStamp

Time when the file waslast modified.

filePath filePath String 1023 Full path to the file,including file name itself.

Example:

C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or/usr/bin/zip

filePermission

filePermission String 1023 Permissions of the file.

fileType fileType String 1023 Type of file (pipe, socket,etc.)

flexDate1 flexDate1 TimeStamp

A timestamp fieldavailable to map atimestamp that does notapply to any otherdefined timestamp field inthis dictionary. Use all flexfields sparingly and seek amore specific, dictionarysupplied field whenpossible. These fields aretypically reserved forcustomer use and shouldnot be set by vendorsunless necessary.

flexDate1Label

flexDate1Label

String 128

flexNumber1 flexNumber1 Long One of two number fields





available to map Longdata that does not applyto any other field in thisdictionary. Use sparinglyand seek a more specific,dictionary supplied fieldwhen possible. Thesefields are typicallyreserved for customer useand should not be set byvendors unless necessary.

flexNumber1Label flexNumber1Label String 128

flexNumber2 flexNumber2 Long

flexNumber2Label flexNumber2Label String 128

flexString1 flexString1 String 1023 One of two string fieldsavailable to map Stringdata that does not applyto any other field in thisdictionary. Use sparinglyand seek a more specific,dictionary supplied fieldwhen possible. Thesefields are typicallyreserved for customer useand should not be set byvendors unless necessary.

flexString1Label

flexString1Label String 128

flexString2 flexString2 String 1023

flexString2Label

flexString2Label String 128

fname fileName String 1023 Name of the file only(without its path)





fsize fileSize Integer Size of the file.

in bytesIn Integer Number of bytestransferred inbound.Inbound relative to thesource to destinationrelationship, meaning thatdata was flowing fromsource to destination.

msg message String 1023 An arbitrary messagegiving more details aboutthe event. Multi-lineentries can be producedby using \n as the new-line separator.

oldFileCreateTime oldFileCreateTime TimeStamp

Time when old file wascreated.

oldFileHash oldFileHash String 255 Hash of the old file.

oldFileId oldFileId String 1023 An ID associated with theold file could be the inode.

oldFileModificationTime

oldFileModificationTime TimeStamp

Time when old file waslast modified.

oldFileName oldFileName String 1023 Name of the old file.

oldFilePath oldFilePath String 1023 Full path to the old file,including the file nameitself.

Examples:

C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or/usr/bin/zip

oldFile oldFilePermission String 1023 Permissions of the old file.





Permission

oldFileSize oldFileSize Integer Size of the old file.

oldFileType oldFileType String 1023 Type of the old file (pipe,socket, etc.)

out bytesOut Integer Number of bytestransferred outboundrelative to the source todestination relationship.For example, the bytenumber of data flowingfrom the destination tothe source.

outcome eventOutcome String 63 Displays the outcome,usually as 'success' or'failure'.

proto transportProtocol String 31 Identifies the Layer-4protocol used. Thepossible values areprotocols such as TCP orUDP.

reason reason String 1023 The reason an audit eventwas generated. Forexample "Bad password"or "Unknown User". Thiscould also be an error orreturn code.

Example:

"0x1234"

request requestUrl String 1023 In the case of an HTTPrequest, this field containsthe URL accessed. TheURL should contain theprotocol as well.





Example:

“http://www.security.com"

requestClientApplication

requestClientApplication

String 1023 The User-Agentassociated with therequest.

requestContext

requestContext String 2048 Description of the contentfromwhich the requestoriginated (for example,HTTP Referrer).

requestCookies

requestCookies String 1023 Cookies associated withthe request.

requestMethod

requestMethod String 1023 The method used toaccess a URL. Possiblevalues: "POST", "GET", etc.

rt deviceReceiptTime TimeStamp

The time at which theevent related to theactivity was received. Theformat is MMM dd yyyyHH:mm:ss ormilliseconds since epoch

(Jan 1st 1970).

shost sourceHostName String 1023 Identifies the source thatan event refers to in an IPnetwork. The formatshould be a fully qualifieddomain name associatedwith the source node,when a node is available

(FQDN). Examples:"host.domain.com" or"host".

smac sourceMacAddress MACAddress

Six colon-separatedhexadecimal numbers.





Example:"00:0D:60:AF:1B:61"

sntdom sourceNtDomain String 255 The Windows domainname for the sourceaddress.

sourceDnsDomain

sourceDnsDomain String 255 The DNS domain part ofthe complete fullyqualified domain name(FQDN).

sourceServiceName

sourceServiceName String 1023 The service which isresponsible forgenerating this event.

sourceTranslatedAddress

sourceTranslatedAddress

IPv4Address

Identifies the translatedsource that the eventrefers to in an IP network.The format is an IPv4address.

Example:

"192.168.10.1"

sourceTranslatedPort

sourceTranslatedPort Integer A port number after beingtranslated by, forexample, a firewall. Validport numbers are 0 to65535.

spid sourceProcessId Integer The ID of the sourceprocess associated withthe event.

spriv sourceUserPrivileges String 1023 The typical values are:"Administrator", "User",and "Guest". It identifiesthe source user'sprivileges. In UNIX, forexample, activity executedby the root user would be





identified withsourceUserPrivileges of"Administrator".

sproc sourceProcessName String 1023 The name of the event'ssource process.

spt sourcePort Integer The valid port numbersare 0 to 65535.

src sourceAddress IPv4Address

Identifies the source thatan event refers to in an IPnetwork. The format is anIPv4 address.

Example:

"192.168.10.1"

start startTime TimeStamp

The time when the activitythe event referred tostarted. The format is MMMdd yyyy HH:mm:ss ormilliseconds since epoch

(Jan 1st 1970).

suid sourceUserId String 1023 Identifies the source userby ID. This is the userassociated with the sourceof the event. For example,in UNIX, the root user isgenerally associated withuser ID 0.

suser sourceUserName String 1023 Identifies the source userby name. Email addressesare also mapped into theUserName fields. Thesender is a candidate toput into sourceUserName.

type type Integer 0 means base event,





1 means aggregated, 2means correlation, and 3means action; this fieldcan be omitted for baseevents (type 0)


CEF Key Names For Event ConsumersThis table displays the CEF names along with the full names for each name. When sending events, theCEF key name is the proper form to use; using the full name to send an event will fail.

CEF Key Name Full NameDataType Length Meaning

agentDnsDomain

agentDnsDomain String 255 The DNS domain nameof the ArcSightconnector thatprocessed the event.

agentNtDomain

agentNtDomain String 255

agentTranslatedAddress

agentTranslatedAddress IPAddress

agentTranslatedZoneExternalID

agentTranslatedZoneExternalID String 200

agentTranslatedZoneURI

agentTranslatedZoneURI String 2048

agentZoneExternalID

agentZoneExternalID String 200

agentZoneURI

agentZoneURI String 2048

agt agentAddress IP The IP address of the

CEF Key Names For Event Consumers




Address ArcSight connector thatprocessed the event.

ahost agentHostName String 1023 The hostname of theArcSight connector thatprocessed the event.

aid agentId String 40 The agent ID of theArcSight connector thatprocessed the event.

amac agentMacAddress MACAddress

The MAC address ofthe ArcSight connectorthat processed theevent.

art agentReceiptTime TimeStamp

The time at whichinformation about theevent was received bythe ArcSight connector.

at agentType String 63 The agent type of theArcSight connector thatprocessed the event.

atz agentTimeZone String 255 The agent time zone ofthe ArcSight connectorthat processed theevent.

av agentVersion String 31 The version of theArcSight connector thatprocessed the event.

cat deviceEventCategory String 1023 Represents thecategory assigned bythe originating device.Devices oftentimes usetheir owncategorization schemato classify events.

CEF Key Names For Event Consumers, continued




Example:"/Monitor/Disk/Read"

customerExternalID

customerExternalID String 200

customerURI customerURI String 2048

destinationTranslatedZoneExternalID

destinationTranslatedZoneExternalID

String 200

destinationTranslatedZoneURI

destinationTranslatedZoneURI String 2048 The URI for theTranslated Zone thatthe destination assethas been assigned to inArcSight.

destinationZoneExternalID

destinationZoneExternalID String 200

destinationZoneURI

destinationZoneURI String 2048 The URI for the Zonethat the destinationasset has been assignedto in ArcSight.

deviceTranslatedZoneExternalID

deviceTranslatedZoneExternalID String 200

deviceTranslatedZoneURI

deviceTranslatedZoneURI String 2048 The URI for theTranslated Zone thatthe device asset hasbeen assigned to inArcSight.

deviceZoneExternalID

deviceZoneExternalID String 200

deviceZoneURI

deviceZoneURI String 2048 The URI for the Zonethat the device assethas been assigned to inArcSight.





dlat destinationGeoLatitude Double The latitudinal valuefromwhich thedestination’s IP addressbelongs.

dlong destinationGeoLongitude Double The longitudinal valuefromwhich thedestination’s IP addressbelongs.

eventId eventId Long This is a unique ID thatArcsight assigns to eachevent.

rawEvent rawEvent String 4000

slat sourceGeoLatitude Double

slong sourceGeoLongitude Double

sourceTranslatedZoneExternalID

sourceTranslatedZoneExternalID

String 200

sourceTranslatedZoneURI

sourceTranslatedZoneURI String 2048 The URI for theTranslated Zone thatthe destination assethas been assigned to inArcSight.

sourceZoneExternalID

sourceZoneExternalID String 200

sourceZoneURI

sourceZoneURI String 2048 The URI for the Zonethat the source assethas been assigned to inArcSight.




Chapter 3: Special MappingsIn some cases, the mappings between fields of the original device and those of the ArcSight ExtensionDictionary are not obvious. In that case, refer to the example in the following tables.

Firewall

Original Field Mapped to CEF Name Mapped to Full Name

Rule Number /

ACL Number

cs1 deviceCustomString1

The severity for a blocked connection is Medium.

The severity for a passed connection is Low.

Anti-Virus


Virus name cs1 deviceCustomString1

Signature / Engine Version cs2 deviceCustomString2

Action (Quarantine, Cleaned, Deleted, ...) act deviceAction

Email


Recipient (for example, [email protected]) duser destinationUserName

Sender (for example, [email protected]) suser sourceUserName

Relay cs1 deviceCustomString1


Wireless


SSID cs2 deviceCustomString2

Channel cn1 deviceCustomNumber1

IPv6 FormatThe connector code automatically sets labels for the IPv6 address fields if the field is set and the label isnot. If you want to set the label explicitly, the correct values are "Device IPv6 Address", "Source IPv6Address", and "Destination IPv6 Address".

If the custom extension name is in IPv6 format and used to map:

l a device address, use c6a1. Use “Device IPv6 Address” as the label, or let the connector code set thelabel for you.

l a source address, use c6a2. Use “Source IPv6 Address” as the label, or let the connector code set thelabel for you.

l a destination address, use c6a3. Use “Destination IPv6 Address” as the label, or let the connectorcode set the label for you.

Note: It is permissible to use abbreviated formats when using IPv6 addresses.

Implementing ArcSight Common Event Format (CEF)Chapter 3: Special Mappings


Chapter 4: User-Defined ExtensionsThe Extension Dictionary provides a set of predefined extension names (CEF names such as "fname"and full names such as "filetype") that should cover most event log requirements. However, vendors'devices may generate more information than can be appropriately mapped into the predefinedextensions or may generate information that does not fit the orientation of the predefined extensions.In such cases, vendors can define their own custom extensions.

Custom Extension Naming GuidelinesNote the following when creating custom extensions.

FormatCustom extension names should take the form VendornameProductnameExplanatoryKeyName

RequirementsCustom extension names should meet the following requirements. Custom extension name(s)

l must be made up of a single word, with no spaces.

l must be alphanumeric.

l names should be as clear and concise as possible.

l may not be named the same as any name listed in ArcSight Extension Dictionary.

Limitations of Custom ExtensionsCustom extension names are recommended for use only when no reasonable mapping of theinformation can be established for a predefined CEF name. While the custom extension namemechanism can be used to safely send information to CEF consumers for storage, there are certainlimitations as to when and how to access the data mapped into them.

Custom extension names also have significant limitations that implementers should be aware of. Theselimitations can fundamentally affect the experience of ArcSight product users.


Limitations Affecting ArcSight ESMl Data submitted to ArcSight ESM using customname extensions is retained; however, it is largely

inaccessible except when directly viewing events. This data shows up in a section called "AdditionalData".

l Data submitted to ArcSight ESM using customname extensions cannot be used directly forreporting, as these "Additional Data" fields are not made available in the reporting schema. Thus, anydata in the "Additional Data" section of events is not available in reports.

l Data submitted to ArcSight ESM using customname extensions cannot be used directly for eventcorrelation (as within Rules, Data Monitors, etc.). Thus, any data in the "Additional Data" section isnot available as output for correlation activities within the ESM system.

Limitations Affecting ArcSight Loggerl Data submitted to ArcSight Logger using customname extensions is retained in the system;

however, it is not available for use in the Logger reporting infrastructure.

l Data submitted to ArcSight Logger using customname extensions is available for viewing by thecustomer using string-based search. Event export is also be available for this purpose.

Implementing ArcSight Common Event Format (CEF)Chapter 4: User-Defined Extensions


Appendix A: Date FormatsCEF supports several variations on time/date formats to identify the time an event occurred accurately.These formats are detailed below.

1. Milliseconds since January 1, 1970 (integer) (This time format supplies an integer with the count inmilliseconds from January 1, 1970 to the time the event occurred.)

2. MMM dd HH:mm:ss.SSS zzz

3. MMM dd HH:mm:ss.SSS

4. MMM dd HH:mm:ss zzz

5. MMM dd HH:mm:ss

6. MMM dd yyyy HH:mm:ss.SSS zzz

7. MMM dd yyyy HH:mm:ss.SSS

8. MMM dd yyyy HH:mm:ss zzz

9. MMM dd yyyy HH:mm:ss

For a key to the date formats shown above, visit the SimpleDateFormat page at:http://docs.oracle.com/javase/7/docs/api/java/text/SimpleDateFormat.html.


http://docs.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html

Send Documentation FeedbackIf you have comments about this document, you can contact the documentation teamby email. If anemail client is configured on this system, click the link above and an email window opens with thefollowing information in the subject line:

Feedback on Implementing ArcSight Common Event Format (CEF) (Common Event Format May16, 2016)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and sendyour feedback to [email protected].

We appreciate your feedback!


mailto:[email protected]?subject=Feedback on Implementing ArcSight Common Event Format (CEF) (Common Event Format May 16, 2016)

Documents

HPESecurity ArcSight CommonEvent Format - secef.net · HPESecurity ArcSight CommonEvent Format Implementing ArcSight Common Event Format CEF) Version 23 May16,2016