Common Event Format (CEF)
CEF is a text-based log format developed by ArcSight™ and used by HP ArcSight™ products. It uses Syslog as transport. The full format includes a Syslog header or "prefix", a CEF "header", and a CEF "extension". The extension contains a list of key-value pairs. Standard key names are provided, and user-defined extensions can be used for additional key names. In some cases, the CEF format is used with the Syslog header omitted.
Rule Function
This rule does two things: it parses the Device Product field from the CEF message and sets the LogZilla event program name to that product name; and it parses several other fields (vendor, product, version, class, description, and severity) from the CEF message and adds those fields as key-value pairs to the LogZilla message.
Vendor Documentation
ArcSight Common Event Format (CEF)
User Tags
| Used | Tag Name | CEF Field | Example |
|---|---|---|---|
| ☑ | vendor |
vendor |
Infoblox |
| ☑ | product_name |
product_name |
NIOS Threat |
product_version |
6.12.13-299142 |
||
event_class |
130400100 |
||
description |
WARN & DROP DoS DNS possible reflect... |
||
severity_id |
8 |
Incoming Log Format
CEF Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|Extension
All log fields are used.
Log Examples
Example 1. DoS DNS attack
CEF:0|Infoblox|NIOS Threat|6.12.13-299142|130400100|WARN & DROP DoS DNS possible reflection/amplification attack attempts|8|src=54.162.95.5 spt=32544 dst=130.68.176.50 dpt=53 act="ALERT" cat="DNS Amplification and Reflection
Example 2: Executable code exploit